usb: usbtest: avoid integer overflow in test_ctrl_queue()

Avoid overflowing context.count = param->sglen * param->iterations,
where both `sglen' and `iterations' are from userspace.

| test_ctrl_queue()
| usbtest_ioctl()

Keep -EOPNOTSUPP for error code.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
index 959145b..967254a 100644 (file)
--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
@@ -904,6 +904,9 @@ test_ctrl_queue(struct usbtest_dev *dev, struct usbtest_param *param)
        struct ctrl_ctx         context;
        int                     i;
 
+       if (param->sglen == 0 || param->iterations > UINT_MAX / param->sglen)
+               return -EOPNOTSUPP;
+
        spin_lock_init(&context.lock);
        context.dev = dev;
        init_completion(&context.complete);
@@ -1981,8 +1984,6 @@ usbtest_ioctl(struct usb_interface *intf, unsigned int code, void *buf)
 
        /* queued control messaging */
        case 10:
-               if (param->sglen == 0)
-                       break;
                retval = 0;
                dev_info(&intf->dev,
                                "TEST 10:  queue %d control calls, %d times\n",