From: Xi Wang <xi.wang@gmail.com>
Date: Mon, 9 Apr 2012 19:48:55 +0000 (-0400)
Subject: usb: usbtest: avoid integer overflow in test_ctrl_queue()
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=e65cdfae71cecec0fcd43a3f9ac8b5e4ae52db08;p=GitHub%2Fmt8127%2Fandroid_kernel_alcatel_ttab.git

usb: usbtest: avoid integer overflow in test_ctrl_queue()

Avoid overflowing context.count = param->sglen * param->iterations,
where both `sglen' and `iterations' are from userspace.

| test_ctrl_queue()
| usbtest_ioctl()

Keep -EOPNOTSUPP for error code.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
index 959145baf3cf..967254afb6e8 100644
--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
@@ -904,6 +904,9 @@ test_ctrl_queue(struct usbtest_dev *dev, struct usbtest_param *param)
 	struct ctrl_ctx		context;
 	int			i;
 
+	if (param->sglen == 0 || param->iterations > UINT_MAX / param->sglen)
+		return -EOPNOTSUPP;
+
 	spin_lock_init(&context.lock);
 	context.dev = dev;
 	init_completion(&context.complete);
@@ -1981,8 +1984,6 @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf)
 
 	/* queued control messaging */
 	case 10:
-		if (param->sglen == 0)
-			break;
 		retval = 0;
 		dev_info(&intf->dev,
 				"TEST 10:  queue %d control calls, %d times\n",