On Tue, 1 Sep 2015, Peter Chen wrote: > Allocate the size of urb pointer array according to testusb's > parameter sglen, and limits the length of sglen as MAX_SGLEN > (128 currently). > > Acked-by: Michal Nazarewicz <mina86@xxxxxxxxxx> > Signed-off-by: Peter Chen <peter.chen@xxxxxxxxxxxxx> > --- > drivers/usb/misc/usbtest.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c > index 9517812..8f294d7 100644 > --- a/drivers/usb/misc/usbtest.c > +++ b/drivers/usb/misc/usbtest.c > @@ -95,6 +95,7 @@ static struct usb_device *testdev_to_usbdev(struct usbtest_dev *test) > dev_warn(&(tdev)->intf->dev , fmt , ## args) > > #define GUARD_BYTE 0xA5 > +#define MAX_SGLEN 128 > > /*-------------------------------------------------------------------------*/ > > @@ -1911,10 +1912,7 @@ test_iso_queue(struct usbtest_dev *dev, struct usbtest_param *param, > unsigned i; > unsigned long packets = 0; > int status = 0; > - struct urb *urbs[10]; /* FIXME no limit */ > - > - if (param->sglen > 10) > - return -EDOM; > + struct urb *urbs[param->sglen]; > > memset(&context, 0, sizeof(context)); > context.count = param->iterations * param->sglen; > @@ -2061,6 +2059,9 @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf) > if (param->iterations <= 0) > return -EINVAL; > > + if (param->sglen > MAX_SGLEN) > + return -EINVAL; This will not prevent problems. The stack space gets allocated as soon as the function starts, and if param->sglen is very big then the damage will already have occurred by this point. It's probably better simply to use kmalloc()/kfree() and not try to put these things on the stack. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
