| Message ID | 20170415122954.18175-1-xypron.glpk@gmx.de |
|---|---|
| State | Accepted |
| Commit | 7f2e59aee5894ffc1d79b485f45ae00902baa738 |
| Delegated to: | Marek Vasut |
| Headers | show |
On 04/15/2017 02:29 PM, Heinrich Schuchardt wrote: > For id = 15 an out of bound access occurs in udc_setup_ep(). > Increase the size of epinfo[] from 30 to 32 to encompass > ids 0..15. > > The problem was highlighted by cppcheck. > > Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Applied, thanks. > --- > I have no hardware for testing the patch. > Please, review thoroughly. IMO makes sense, although it might be better to just set MAX_ENDPOINT to 16 and tweak the code instead to make things extra clear. Also, could it be that this is also broken in Linux ? > --- > drivers/usb/musb/musb_udc.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/musb/musb_udc.c b/drivers/usb/musb/musb_udc.c > index 87640f4e32..d643334a2e 100644 > --- a/drivers/usb/musb/musb_udc.c > +++ b/drivers/usb/musb/musb_udc.c > @@ -85,7 +85,7 @@ do { \ > /* static implies these initialized to 0 or NULL */ > static int debug_setup; > static int debug_level; > -static struct musb_epinfo epinfo[MAX_ENDPOINT * 2]; > +static struct musb_epinfo epinfo[MAX_ENDPOINT * 2 + 2]; > static enum ep0_state_enum { > IDLE = 0, > TX, > @@ -944,7 +944,7 @@ int udc_init(void) > musbr = musb_cfg.regs; > > /* Initialize the endpoints */ > - for (ep_loop = 0; ep_loop < MAX_ENDPOINT * 2; ep_loop++) { > + for (ep_loop = 0; ep_loop <= MAX_ENDPOINT * 2; ep_loop++) { > epinfo[ep_loop].epnum = (ep_loop / 2) + 1; > epinfo[ep_loop].epdir = ep_loop % 2; /* OUT, IN */ > epinfo[ep_loop].epsize = 0; >
diff --git a/drivers/usb/musb/musb_udc.c b/drivers/usb/musb/musb_udc.c index 87640f4e32..d643334a2e 100644 --- a/drivers/usb/musb/musb_udc.c +++ b/drivers/usb/musb/musb_udc.c @@ -85,7 +85,7 @@ do { \ /* static implies these initialized to 0 or NULL */ static int debug_setup; static int debug_level; -static struct musb_epinfo epinfo[MAX_ENDPOINT * 2]; +static struct musb_epinfo epinfo[MAX_ENDPOINT * 2 + 2]; static enum ep0_state_enum { IDLE = 0, TX, @@ -944,7 +944,7 @@ int udc_init(void) musbr = musb_cfg.regs; /* Initialize the endpoints */ - for (ep_loop = 0; ep_loop < MAX_ENDPOINT * 2; ep_loop++) { + for (ep_loop = 0; ep_loop <= MAX_ENDPOINT * 2; ep_loop++) { epinfo[ep_loop].epnum = (ep_loop / 2) + 1; epinfo[ep_loop].epdir = ep_loop % 2; /* OUT, IN */ epinfo[ep_loop].epsize = 0;
For id = 15 an out of bound access occurs in udc_setup_ep(). Increase the size of epinfo[] from 30 to 32 to encompass ids 0..15. The problem was highlighted by cppcheck. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> --- I have no hardware for testing the patch. Please, review thoroughly. --- drivers/usb/musb/musb_udc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)