> > --- > > drivers/usb/misc/usbtest.c | 9 +++++---- > > 1 file changed, 5 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c > > index 9517812..8f294d7 100644 > > --- a/drivers/usb/misc/usbtest.c > > +++ b/drivers/usb/misc/usbtest.c > > @@ -95,6 +95,7 @@ static struct usb_device *testdev_to_usbdev(struct > usbtest_dev *test) > > dev_warn(&(tdev)->intf->dev , fmt , ## args) > > > > #define GUARD_BYTE 0xA5 > > +#define MAX_SGLEN 128 > > > > > > /*-------------------------------------------------------------------- > > -----*/ > > > > @@ -1911,10 +1912,7 @@ test_iso_queue(struct usbtest_dev *dev, struct > usbtest_param *param, > > unsigned i; > > unsigned long packets = 0; > > int status = 0; > > - struct urb *urbs[10]; /* FIXME no limit */ > > - > > - if (param->sglen > 10) > > - return -EDOM; > > + struct urb *urbs[param->sglen]; > > > > memset(&context, 0, sizeof(context)); > > context.count = param->iterations * param->sglen; @@ -2061,6 > +2059,9 > > @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf) > > if (param->iterations <= 0) > > return -EINVAL; > > > > + if (param->sglen > MAX_SGLEN) > > + return -EINVAL; > > This will not prevent problems. The stack space gets allocated as soon as the > function starts, and if param->sglen is very big then the damage will already > have occurred by this point. > Sorry? It is the beginning of usbtest_ioctl, the test_iso_queue has still not been called. Peter > It's probably better simply to use kmalloc()/kfree() and not try to put these > things on the stack. > > Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
