[PATCH] usb: fix potential integer overflow in usb_sg_init
From: Insu Yun
Date: Mon Jan 18 2016 - 12:05:09 EST
If nents value is sufficient large, e.g 0x40000000,
then it can overflow size in kmalloc and heap overflow happesns.
Therefore nents value needs to be checked to prevent overflow.
Signed-off-by: Insu Yun <wuninsu@xxxxxxxxx>
---
drivers/usb/core/message.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 8e641b5..53393d5 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -367,7 +367,8 @@ int usb_sg_init(struct usb_sg_request *io, struct usb_device *dev,
if (!io || !dev || !sg
|| usb_pipecontrol(pipe)
|| usb_pipeisoc(pipe)
- || nents <= 0)
+ || nents <= 0
+ || nents >= UINT_MAX / sizeof(*io->urbs))
return -EINVAL;
spin_lock_init(&io->lock);
--
1.9.1