[U-Boot] [RFC 1/1] usb: musb: avoid out of bound access in udc_setup_ep
Marek Vasut
marex at denx.de
Sun Apr 16 16:27:38 UTC 2017
On 04/15/2017 02:29 PM, Heinrich Schuchardt wrote:
> For id = 15 an out of bound access occurs in udc_setup_ep().
> Increase the size of epinfo[] from 30 to 32 to encompass
> ids 0..15.
>
> The problem was highlighted by cppcheck.
>
> Signed-off-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
Applied, thanks.
> ---
> I have no hardware for testing the patch.
> Please, review thoroughly.
IMO makes sense, although it might be better to just set MAX_ENDPOINT to
16 and tweak the code instead to make things extra clear.
Also, could it be that this is also broken in Linux ?
> ---
> drivers/usb/musb/musb_udc.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/musb/musb_udc.c b/drivers/usb/musb/musb_udc.c
> index 87640f4e32..d643334a2e 100644
> --- a/drivers/usb/musb/musb_udc.c
> +++ b/drivers/usb/musb/musb_udc.c
> @@ -85,7 +85,7 @@ do { \
> /* static implies these initialized to 0 or NULL */
> static int debug_setup;
> static int debug_level;
> -static struct musb_epinfo epinfo[MAX_ENDPOINT * 2];
> +static struct musb_epinfo epinfo[MAX_ENDPOINT * 2 + 2];
> static enum ep0_state_enum {
> IDLE = 0,
> TX,
> @@ -944,7 +944,7 @@ int udc_init(void)
> musbr = musb_cfg.regs;
>
> /* Initialize the endpoints */
> - for (ep_loop = 0; ep_loop < MAX_ENDPOINT * 2; ep_loop++) {
> + for (ep_loop = 0; ep_loop <= MAX_ENDPOINT * 2; ep_loop++) {
> epinfo[ep_loop].epnum = (ep_loop / 2) + 1;
> epinfo[ep_loop].epdir = ep_loop % 2; /* OUT, IN */
> epinfo[ep_loop].epsize = 0;
>
--
Best regards,
Marek Vasut
More information about the U-Boot
mailing list