diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2017-10-15 07:49:16 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2017-10-15 07:49:16 -0400 |
| commit | 7a263b16c5a258b2f3fe5b58a7c461cc9d34e99a (patch) | |
| tree | f885b9ce93b686bacef1cf31930fc40e4de8d235 /drivers/usb/misc/usbtest.c | |
| parent | 7a23c5abb930cefcef85df6dc0c8fb3e8961980c (diff) | |
| parent | 2d30408ecfd450c8377186615b330d329ded18ea (diff) | |
Merge tag 'usb-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB fixes from Greg KH:
"Here are a handful of USB driver fixes for 4.14-rc5.
There is the "usual" usb-serial fixes and device ids, USB gadget
fixes, and some more fixes found by the fuzz testing that is happening
on the USB layer right now.
All of these have been in my tree this week with no reported issues"
* tag 'usb-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
usb: usbtest: fix NULL pointer dereference
usb: gadget: configfs: Fix memory leak of interface directory data
usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options
usb: misc: usbtest: Fix overflow in usbtest_do_ioctl()
usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet
USB: dummy-hcd: Fix deadlock caused by disconnect detection
usb: phy: tegra: Fix phy suspend for UDC
USB: serial: console: fix use-after-free after failed setup
USB: serial: console: fix use-after-free on disconnect
USB: serial: qcserial: add Dell DW5818, DW5819
USB: serial: cp210x: add support for ELV TFD500
USB: serial: cp210x: fix partnum regression
USB: serial: option: add support for TP-Link LTE module
USB: serial: ftdi_sio: add id for Cypress WICED dev board
Diffstat (limited to 'drivers/usb/misc/usbtest.c')
| -rw-r--r-- | drivers/usb/misc/usbtest.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c index eee82ca55b7b..b3fc602b2e24 100644 --- a/drivers/usb/misc/usbtest.c +++ b/drivers/usb/misc/usbtest.c @@ -202,12 +202,13 @@ found: return tmp; } - if (in) { + if (in) dev->in_pipe = usb_rcvbulkpipe(udev, in->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); + if (out) dev->out_pipe = usb_sndbulkpipe(udev, out->desc.bEndpointAddress & USB_ENDPOINT_NUMBER_MASK); - } + if (iso_in) { dev->iso_in = &iso_in->desc; dev->in_iso_pipe = usb_rcvisocpipe(udev, @@ -1964,6 +1965,9 @@ test_queue(struct usbtest_dev *dev, struct usbtest_param_32 *param, int status = 0; struct urb *urbs[param->sglen]; + if (!param->sglen || param->iterations > UINT_MAX / param->sglen) + return -EINVAL; + memset(&context, 0, sizeof(context)); context.count = param->iterations * param->sglen; context.dev = dev; @@ -2087,6 +2091,8 @@ usbtest_do_ioctl(struct usb_interface *intf, struct usbtest_param_32 *param) if (param->iterations <= 0) return -EINVAL; + if (param->sglen > MAX_SGLEN) + return -EINVAL; /* * Just a bunch of test cases that every HCD is expected to handle. * |