Allocate the size of urb pointer array according to testusb's parameter sglen, and limits the length of sglen as MAX_SGLEN (128 currently). Acked-by: Michal Nazarewicz <mina86@xxxxxxxxxx> Signed-off-by: Peter Chen <peter.chen@xxxxxxxxxxxxx> --- drivers/usb/misc/usbtest.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c index 9517812..8f294d7 100644 --- a/drivers/usb/misc/usbtest.c +++ b/drivers/usb/misc/usbtest.c @@ -95,6 +95,7 @@ static struct usb_device *testdev_to_usbdev(struct usbtest_dev *test) dev_warn(&(tdev)->intf->dev , fmt , ## args) #define GUARD_BYTE 0xA5 +#define MAX_SGLEN 128 /*-------------------------------------------------------------------------*/ @@ -1911,10 +1912,7 @@ test_iso_queue(struct usbtest_dev *dev, struct usbtest_param *param, unsigned i; unsigned long packets = 0; int status = 0; - struct urb *urbs[10]; /* FIXME no limit */ - - if (param->sglen > 10) - return -EDOM; + struct urb *urbs[param->sglen]; memset(&context, 0, sizeof(context)); context.count = param->iterations * param->sglen; @@ -2061,6 +2059,9 @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf) if (param->iterations <= 0) return -EINVAL; + if (param->sglen > MAX_SGLEN) + return -EINVAL; + if (mutex_lock_interruptible(&dev->lock)) return -ERESTARTSYS; -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html