On Fri, Apr 06, 2012 at 05:02:18PM -0400, Xi Wang wrote: > A large `nents' from userspace could overflow the allocation size, > leading to memory corruption. > > | alloc_sglist() > | usbtest_ioctl() > > Use kmalloc_array() to avoid the overflow. How does that avoid the overflow? We still would have allocated a huge chunk, which would not be good. How about bounding the size of nents instead? thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
