On Wed, 2 Sep 2015, Peter Chen wrote: > > > @@ -1911,10 +1912,7 @@ test_iso_queue(struct usbtest_dev *dev, struct > > usbtest_param *param, > > > unsigned i; > > > unsigned long packets = 0; > > > int status = 0; > > > - struct urb *urbs[10]; /* FIXME no limit */ > > > - > > > - if (param->sglen > 10) > > > - return -EDOM; > > > + struct urb *urbs[param->sglen]; > > > > > > memset(&context, 0, sizeof(context)); > > > context.count = param->iterations * param->sglen; @@ -2061,6 > > +2059,9 > > > @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf) > > > if (param->iterations <= 0) > > > return -EINVAL; > > > > > > + if (param->sglen > MAX_SGLEN) > > > + return -EINVAL; > > > > This will not prevent problems. The stack space gets allocated as soon as the > > function starts, and if param->sglen is very big then the damage will already > > have occurred by this point. > > > > Sorry? It is the beginning of usbtest_ioctl, the test_iso_queue has still not > been called. Oh, you are right. I didn't read the patch carefully enough. Sorry. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
