Commit 7f14c722 authored by Szymon Heidrich's avatar Szymon Heidrich Committed by Greg Kroah-Hartman

USB: gadget: validate endpoint index for xilinx udc

Assure that host may not manipulate the index to point
past endpoint array.
Signed-off-by: default avatarSzymon Heidrich <szymon.heidrich@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 32fde843
...@@ -1615,6 +1615,8 @@ static void xudc_getstatus(struct xusb_udc *udc) ...@@ -1615,6 +1615,8 @@ static void xudc_getstatus(struct xusb_udc *udc)
break; break;
case USB_RECIP_ENDPOINT: case USB_RECIP_ENDPOINT:
epnum = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; epnum = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK;
if (epnum >= XUSB_MAX_ENDPOINTS)
goto stall;
target_ep = &udc->ep[epnum]; target_ep = &udc->ep[epnum];
epcfgreg = udc->read_fn(udc->addr + target_ep->offset); epcfgreg = udc->read_fn(udc->addr + target_ep->offset);
halt = epcfgreg & XUSB_EP_CFG_STALL_MASK; halt = epcfgreg & XUSB_EP_CFG_STALL_MASK;
...@@ -1682,6 +1684,10 @@ static void xudc_set_clear_feature(struct xusb_udc *udc) ...@@ -1682,6 +1684,10 @@ static void xudc_set_clear_feature(struct xusb_udc *udc)
case USB_RECIP_ENDPOINT: case USB_RECIP_ENDPOINT:
if (!udc->setup.wValue) { if (!udc->setup.wValue) {
endpoint = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK; endpoint = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK;
if (endpoint >= XUSB_MAX_ENDPOINTS) {
xudc_ep0_stall(udc);
return;
}
target_ep = &udc->ep[endpoint]; target_ep = &udc->ep[endpoint];
outinbit = udc->setup.wIndex & USB_ENDPOINT_DIR_MASK; outinbit = udc->setup.wIndex & USB_ENDPOINT_DIR_MASK;
outinbit = outinbit >> 7; outinbit = outinbit >> 7;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment