[U-Boot] [RFC 1/1] usb: musb: avoid out of bound access in udc_setup_ep
For id = 15 an out of bound access occurs in udc_setup_ep(). Increase the size of epinfo[] from 30 to 32 to encompass ids 0..15.
The problem was highlighted by cppcheck.
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de --- I have no hardware for testing the patch. Please, review thoroughly. --- drivers/usb/musb/musb_udc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/musb/musb_udc.c b/drivers/usb/musb/musb_udc.c index 87640f4e32..d643334a2e 100644 --- a/drivers/usb/musb/musb_udc.c +++ b/drivers/usb/musb/musb_udc.c @@ -85,7 +85,7 @@ do { \ /* static implies these initialized to 0 or NULL */ static int debug_setup; static int debug_level; -static struct musb_epinfo epinfo[MAX_ENDPOINT * 2]; +static struct musb_epinfo epinfo[MAX_ENDPOINT * 2 + 2]; static enum ep0_state_enum { IDLE = 0, TX, @@ -944,7 +944,7 @@ int udc_init(void) musbr = musb_cfg.regs;
/* Initialize the endpoints */ - for (ep_loop = 0; ep_loop < MAX_ENDPOINT * 2; ep_loop++) { + for (ep_loop = 0; ep_loop <= MAX_ENDPOINT * 2; ep_loop++) { epinfo[ep_loop].epnum = (ep_loop / 2) + 1; epinfo[ep_loop].epdir = ep_loop % 2; /* OUT, IN */ epinfo[ep_loop].epsize = 0;
On 04/15/2017 02:29 PM, Heinrich Schuchardt wrote:
For id = 15 an out of bound access occurs in udc_setup_ep(). Increase the size of epinfo[] from 30 to 32 to encompass ids 0..15.
The problem was highlighted by cppcheck.
Signed-off-by: Heinrich Schuchardt xypron.glpk@gmx.de
Applied, thanks.
I have no hardware for testing the patch. Please, review thoroughly.
IMO makes sense, although it might be better to just set MAX_ENDPOINT to 16 and tweak the code instead to make things extra clear.
Also, could it be that this is also broken in Linux ?
drivers/usb/musb/musb_udc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/musb/musb_udc.c b/drivers/usb/musb/musb_udc.c index 87640f4e32..d643334a2e 100644 --- a/drivers/usb/musb/musb_udc.c +++ b/drivers/usb/musb/musb_udc.c @@ -85,7 +85,7 @@ do { \ /* static implies these initialized to 0 or NULL */ static int debug_setup; static int debug_level; -static struct musb_epinfo epinfo[MAX_ENDPOINT * 2]; +static struct musb_epinfo epinfo[MAX_ENDPOINT * 2 + 2]; static enum ep0_state_enum { IDLE = 0, TX, @@ -944,7 +944,7 @@ int udc_init(void) musbr = musb_cfg.regs;
/* Initialize the endpoints */
- for (ep_loop = 0; ep_loop < MAX_ENDPOINT * 2; ep_loop++) {
- for (ep_loop = 0; ep_loop <= MAX_ENDPOINT * 2; ep_loop++) { epinfo[ep_loop].epnum = (ep_loop / 2) + 1; epinfo[ep_loop].epdir = ep_loop % 2; /* OUT, IN */ epinfo[ep_loop].epsize = 0;
participants (2)
-
Heinrich Schuchardt -
Marek Vasut