If nents value is sufficient large, e.g 0x40000000, then it can overflow size in kmalloc and heap overflow happesns. Therefore nents value needs to be checked to prevent overflow. Signed-off-by: Insu Yun <wuninsu@xxxxxxxxx> --- drivers/usb/core/message.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c index 8e641b5..53393d5 100644 --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -367,7 +367,8 @@ int usb_sg_init(struct usb_sg_request *io, struct usb_device *dev, if (!io || !dev || !sg || usb_pipecontrol(pipe) || usb_pipeisoc(pipe) - || nents <= 0) + || nents <= 0 + || nents >= UINT_MAX / sizeof(*io->urbs)) return -EINVAL; spin_lock_init(&io->lock); -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
