Out of bounds access in service_tx_status_request() in musb_gadget_ep0.c

Marek Vasut marex at denx.de
Mon Apr 5 14:34:15 CEST 2021


On 4/5/21 2:38 AM, Heinrich Schuchardt wrote:
> Hello Marek,

Hi,

> &musb->endpoints[epnum].ep_out may be accessed out of bounds if a device
> sends a malformed message with ctrlrequest->wIndex = 0x10.

Where?

> The Linux code avoids this issue.

Please send a fix, thanks.


More information about the U-Boot mailing list