]>
Commit | Line | Data |
---|---|---|
885c8f02 GKH |
1 | From af6f8529098aeb0e56a68671b450cf74e7a64fcd Mon Sep 17 00:00:00 2001 |
2 | From: Heinrich Schuchardt <xypron.glpk@gmx.de> | |
3 | Date: Thu, 29 Mar 2018 10:48:28 -0500 | |
4 | Subject: usb: musb: gadget: misplaced out of bounds check | |
5 | ||
6 | From: Heinrich Schuchardt <xypron.glpk@gmx.de> | |
7 | ||
8 | commit af6f8529098aeb0e56a68671b450cf74e7a64fcd upstream. | |
9 | ||
10 | musb->endpoints[] has array size MUSB_C_NUM_EPS. | |
11 | We must check array bounds before accessing the array and not afterwards. | |
12 | ||
13 | Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> | |
14 | Signed-off-by: Bin Liu <b-liu@ti.com> | |
15 | Cc: stable <stable@vger.kernel.org> | |
16 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
17 | ||
18 | --- | |
19 | drivers/usb/musb/musb_gadget_ep0.c | 14 +++++++++----- | |
20 | 1 file changed, 9 insertions(+), 5 deletions(-) | |
21 | ||
22 | --- a/drivers/usb/musb/musb_gadget_ep0.c | |
23 | +++ b/drivers/usb/musb/musb_gadget_ep0.c | |
24 | @@ -89,15 +89,19 @@ static int service_tx_status_request( | |
25 | } | |
26 | ||
27 | is_in = epnum & USB_DIR_IN; | |
28 | - if (is_in) { | |
29 | - epnum &= 0x0f; | |
30 | + epnum &= 0x0f; | |
31 | + if (epnum >= MUSB_C_NUM_EPS) { | |
32 | + handled = -EINVAL; | |
33 | + break; | |
34 | + } | |
35 | + | |
36 | + if (is_in) | |
37 | ep = &musb->endpoints[epnum].ep_in; | |
38 | - } else { | |
39 | + else | |
40 | ep = &musb->endpoints[epnum].ep_out; | |
41 | - } | |
42 | regs = musb->endpoints[epnum].regs; | |
43 | ||
44 | - if (epnum >= MUSB_C_NUM_EPS || !ep->desc) { | |
45 | + if (!ep->desc) { | |
46 | handled = -EINVAL; | |
47 | break; | |
48 | } |