Out of bounds access in service_tx_status_request() in musb_gadget_ep0.c

Heinrich Schuchardt xypron.glpk at gmx.de
Mon Apr 5 02:38:18 CEST 2021

Previous message (by thread): [RFC] musb_bulk_rx_nak_timeout()
Next message (by thread): Out of bounds access in service_tx_status_request() in musb_gadget_ep0.c
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Marek,

&musb->endpoints[epnum].ep_out may be accessed out of bounds if a device
sends a malformed message with ctrlrequest->wIndex = 0x10.

The Linux code avoids this issue.

Best regards

Heinrich

Previous message (by thread): [RFC] musb_bulk_rx_nak_timeout()
Next message (by thread): Out of bounds access in service_tx_status_request() in musb_gadget_ep0.c
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the U-Boot mailing list