projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| 885c8f02 GKH |
1 | From af6f8529098aeb0e56a68671b450cf74e7a64fcd Mon Sep 17 00:00:00 2001 |
| 2 | From: Heinrich Schuchardt <xypron.glpk@gmx.de> | |
| 3 | Date: Thu, 29 Mar 2018 10:48:28 -0500 | |
| 4 | Subject: usb: musb: gadget: misplaced out of bounds check | |
| 5 | ||
| 6 | From: Heinrich Schuchardt <xypron.glpk@gmx.de> | |
| 7 | ||
| 8 | commit af6f8529098aeb0e56a68671b450cf74e7a64fcd upstream. | |
| 9 | ||
| 10 | musb->endpoints[] has array size MUSB_C_NUM_EPS. | |
| 11 | We must check array bounds before accessing the array and not afterwards. | |
| 12 | ||
| 13 | Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> | |
| 14 | Signed-off-by: Bin Liu <b-liu@ti.com> | |
| 15 | Cc: stable <stable@vger.kernel.org> | |
| 16 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| 17 | ||
| 18 | --- | |
| 19 | drivers/usb/musb/musb_gadget_ep0.c | 14 +++++++++----- | |
| 20 | 1 file changed, 9 insertions(+), 5 deletions(-) | |
| 21 | ||
| 22 | --- a/drivers/usb/musb/musb_gadget_ep0.c | |
| 23 | +++ b/drivers/usb/musb/musb_gadget_ep0.c | |
| 24 | @@ -89,15 +89,19 @@ static int service_tx_status_request( | |
| 25 | } | |
| 26 | ||
| 27 | is_in = epnum & USB_DIR_IN; | |
| 28 | - if (is_in) { | |
| 29 | - epnum &= 0x0f; | |
| 30 | + epnum &= 0x0f; | |
| 31 | + if (epnum >= MUSB_C_NUM_EPS) { | |
| 32 | + handled = -EINVAL; | |
| 33 | + break; | |
| 34 | + } | |
| 35 | + | |
| 36 | + if (is_in) | |
| 37 | ep = &musb->endpoints[epnum].ep_in; | |
| 38 | - } else { | |
| 39 | + else | |
| 40 | ep = &musb->endpoints[epnum].ep_out; | |
| 41 | - } | |
| 42 | regs = musb->endpoints[epnum].regs; | |
| 43 | ||
| 44 | - if (epnum >= MUSB_C_NUM_EPS || !ep->desc) { | |
| 45 | + if (!ep->desc) { | |
| 46 | handled = -EINVAL; | |
| 47 | break; | |
| 48 | } |