kcalloc has protection from integer overflows
which could arise from the multiplication of
number of elements and size.
Signed-off-by: Arjun Sreedharan <arjun024@xxxxxxxxx>
---
drivers/usb/core/config.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index b2a540b..abde67d 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -318,7 +318,7 @@ static int usb_parse_interface(struct device *ddev, int cfgno,
struct usb_interface_cache *intfc;
struct usb_host_interface *alt;
int i, n;
- int len, retval;
+ int retval;
int num_ep, num_ep_orig;
d = (struct usb_interface_descriptor *) buffer;
@@ -380,8 +380,7 @@ static int usb_parse_interface(struct device *ddev, int cfgno,
if (num_ep > 0) {
/* Can't allocate 0 bytes */
- len = sizeof(struct usb_host_endpoint) * num_ep;
- alt->endpoint = kzalloc(len, GFP_KERNEL);
+ alt->endpoint = kcalloc(num_ep, sizeof(struct usb_host_endpoint), GFP_KERNEL);
if (!alt->endpoint)
return -ENOMEM;
}
@@ -683,13 +682,11 @@ int usb_get_configuration(struct usb_device *dev)
return -EINVAL;
}
- length = ncfg * sizeof(struct usb_host_config);
- dev->config = kzalloc(length, GFP_KERNEL);
+ dev->config = kcalloc(ncfg, sizeof(struct usb_host_config), GFP_KERNEL);
if (!dev->config)
goto err2;
- length = ncfg * sizeof(char *);
- dev->rawdescriptors = kzalloc(length, GFP_KERNEL);
+ dev->rawdescriptors = kcalloc(ncfg, sizeof(char *), GFP_KERNEL);
if (!dev->rawdescriptors)
goto err2;
--
1.8.1.msysgit.1
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
