usb: musb: fix possible out of bounds access

Either the condition 'epnum>=((u8)16)' is redundant or the array 'musb->endpoints[16]' is accessed at index 16, which is out of bounds. Signed-off-by: Oleksij Rempel <linux@rempel-privat.de> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
author: Oleksij Rempel <linux@rempel-privat.de> 2018-11-20 21:07:13 +0100
committer: Sascha Hauer <s.hauer@pengutronix.de> 2018-11-21 09:08:09 +0100
commit: 765aac64a94dae761de2a7af48eeaa4dcf25e973 (patch)
tree: d9386224db261db28162e4c2dd9111f41b72553e
parent: ded9e1e1a7bacce4c6d2c6bd2321e80a1b44f58f (diff)
download: barebox-765aac64a94dae761de2a7af48eeaa4dcf25e973.tar.gz
barebox-765aac64a94dae761de2a7af48eeaa4dcf25e973.tar.xz
1 files changed, 6 insertions, 1 deletions
diff --git a/drivers/usb/musb/musb_gadget_ep0.c b/drivers/usb/musb/musb_gadget_ep0.c
index feaa856451..c8f55ac32c 100644
--- a/drivers/usb/musb/musb_gadget_ep0.c
+++ b/drivers/usb/musb/musb_gadget_ep0.c
@@ -110,6 +110,11 @@ static int service_tx_status_request(
 			break;
 		}
 
+		if (epnum >= MUSB_C_NUM_EPS) {
+			handled = -EINVAL;
+			break;
+		}
+
 		is_in = epnum & USB_DIR_IN;
 		if (is_in) {
 			epnum &= 0x0f;
@@ -119,7 +124,7 @@ static int service_tx_status_request(
 		}
 		regs = musb->endpoints[epnum].regs;
 
-		if (epnum >= MUSB_C_NUM_EPS || !ep->desc) {
+		if (!ep->desc) {
 			handled = -EINVAL;
 			break;
 		}
author	Oleksij Rempel <linux@rempel-privat.de>	2018-11-20 21:07:13 +0100
committer	Sascha Hauer <s.hauer@pengutronix.de>	2018-11-21 09:08:09 +0100
commit	765aac64a94dae761de2a7af48eeaa4dcf25e973 (patch)
tree	d9386224db261db28162e4c2dd9111f41b72553e
parent	ded9e1e1a7bacce4c6d2c6bd2321e80a1b44f58f (diff)
download	barebox-765aac64a94dae761de2a7af48eeaa4dcf25e973.tar.gz barebox-765aac64a94dae761de2a7af48eeaa4dcf25e973.tar.xz