usb: musb-new: Limit check array index before use

epnum is used as an index into an array. The limit check for this index
should be performed before using it to access an element in the array to
prevent possible bounds overrun.

This issue was found by Smatch.

Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@kernel.org>

diff --git a/drivers/usb/musb-new/musb_gadget_ep0.c b/drivers/usb/musb-new/musb_gadget_ep0.c
index ea65326ab6264492ea668ddd047b360965a5ad19..25b1de6e58f9e2028e9b93a600d532ae0f5efcc1 100644 (file)
--- a/drivers/usb/musb-new/musb_gadget_ep0.c
+++ b/drivers/usb/musb-new/musb_gadget_ep0.c
@@ -96,6 +96,9 @@ static int service_tx_status_request(
                if (!epnum) {
                        result[0] = 0;
                        break;
+               } else if (epnum >= MUSB_C_NUM_EPS) {
+                       handled = -EINVAL;
+                       break;
                }
 
                is_in = epnum & USB_DIR_IN;
@@ -107,7 +110,7 @@ static int service_tx_status_request(
                }
                regs = musb->endpoints[epnum].regs;
 
-               if (epnum >= MUSB_C_NUM_EPS || !ep->desc) {
+               if (!ep->desc) {
                        handled = -EINVAL;
                        break;
                }