[U-Boot] [RFC 1/1] usb: musb: avoid out of bound access in udc_setup_ep
Heinrich Schuchardt
xypron.glpk at gmx.de
Sat Apr 15 12:29:54 UTC 2017
For id = 15 an out of bound access occurs in udc_setup_ep().
Increase the size of epinfo[] from 30 to 32 to encompass
ids 0..15.
The problem was highlighted by cppcheck.
Signed-off-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
---
I have no hardware for testing the patch.
Please, review thoroughly.
---
drivers/usb/musb/musb_udc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/musb/musb_udc.c b/drivers/usb/musb/musb_udc.c
index 87640f4e32..d643334a2e 100644
--- a/drivers/usb/musb/musb_udc.c
+++ b/drivers/usb/musb/musb_udc.c
@@ -85,7 +85,7 @@ do { \
/* static implies these initialized to 0 or NULL */
static int debug_setup;
static int debug_level;
-static struct musb_epinfo epinfo[MAX_ENDPOINT * 2];
+static struct musb_epinfo epinfo[MAX_ENDPOINT * 2 + 2];
static enum ep0_state_enum {
IDLE = 0,
TX,
@@ -944,7 +944,7 @@ int udc_init(void)
musbr = musb_cfg.regs;
/* Initialize the endpoints */
- for (ep_loop = 0; ep_loop < MAX_ENDPOINT * 2; ep_loop++) {
+ for (ep_loop = 0; ep_loop <= MAX_ENDPOINT * 2; ep_loop++) {
epinfo[ep_loop].epnum = (ep_loop / 2) + 1;
epinfo[ep_loop].epdir = ep_loop % 2; /* OUT, IN */
epinfo[ep_loop].epsize = 0;
--
2.11.0
More information about the U-Boot
mailing list