diff options
author | Oleksij Rempel <linux@rempel-privat.de> | 2018-11-20 21:07:13 +0100 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2018-11-21 09:08:09 +0100 |
commit | 765aac64a94dae761de2a7af48eeaa4dcf25e973 (patch) | |
tree | d9386224db261db28162e4c2dd9111f41b72553e | |
parent | ded9e1e1a7bacce4c6d2c6bd2321e80a1b44f58f (diff) | |
download | barebox-765aac64a94dae761de2a7af48eeaa4dcf25e973.tar.gz barebox-765aac64a94dae761de2a7af48eeaa4dcf25e973.tar.xz |
usb: musb: fix possible out of bounds access
Either the condition 'epnum>=((u8)16)' is redundant or the array
'musb->endpoints[16]' is accessed at index 16, which is out of bounds.
Signed-off-by: Oleksij Rempel <linux@rempel-privat.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
-rw-r--r-- | drivers/usb/musb/musb_gadget_ep0.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/drivers/usb/musb/musb_gadget_ep0.c b/drivers/usb/musb/musb_gadget_ep0.c index feaa856451..c8f55ac32c 100644 --- a/drivers/usb/musb/musb_gadget_ep0.c +++ b/drivers/usb/musb/musb_gadget_ep0.c @@ -110,6 +110,11 @@ static int service_tx_status_request( break; } + if (epnum >= MUSB_C_NUM_EPS) { + handled = -EINVAL; + break; + } + is_in = epnum & USB_DIR_IN; if (is_in) { epnum &= 0x0f; @@ -119,7 +124,7 @@ static int service_tx_status_request( } regs = musb->endpoints[epnum].regs; - if (epnum >= MUSB_C_NUM_EPS || !ep->desc) { + if (!ep->desc) { handled = -EINVAL; break; } |