lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

USB: fix oops in usb_sg_init()

Browse Source 
This patch (as1401) fixes a bug in usb_sg_init() that can cause an
invalid pointer dereference.  An inner loop reuses some local variables
in an unsafe manner, so new variables are introduced.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Ajay Kumar Gupta <ajay.gupta@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Alan Stern
2010-06-18 10:16:33 -04:00
committed by Greg Kroah-Hartman
parent 3b49d2315c
commit 64d65872f9
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
drivers/usb/core/message.c
View File

@@ -416,8 +416,11 @@ int usb_sg_init(struct usb_sg_request *io, struct usb_device *dev,
/* A length of zero means transfer the whole sg list */ /* A length of zero means transfer the whole sg list */
len = length; len = length;
if (len == 0) { if (len == 0) {
for_each_sg(sg, sg, nents, i) struct scatterlist *sg2;
len += sg->length; int j;
for_each_sg(sg, sg2, nents, j)
len += sg2->length;
} }
} else { } else {
/* /*