From patchwork Sat Apr 15 12:29:54 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Heinrich Schuchardt <xypron.glpk@gmx.de>
X-Patchwork-Id: 751029
X-Patchwork-Delegate: marek.vasut@gmail.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.denx.de (dione.denx.de [81.169.180.215])
	by ozlabs.org (Postfix) with ESMTP id 3w4v4Z0x31z9s7B
	for <incoming@patchwork.ozlabs.org>;
	Sat, 15 Apr 2017 22:30:19 +1000 (AEST)
Received: by lists.denx.de (Postfix, from userid 105)
	id 9430DC21C74; Sat, 15 Apr 2017 12:30:13 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=FREEMAIL_FROM,
	RCVD_IN_MSPIKE_H2 autolearn=unavailable autolearn_force=no
	version=3.4.0
Received: from lists.denx.de (localhost [IPv6:::1])
	by lists.denx.de (Postfix) with ESMTP id 5FBDEC21C3F;
	Sat, 15 Apr 2017 12:30:11 +0000 (UTC)
Received: by lists.denx.de (Postfix, from userid 105)
	id 363DDC21C3F; Sat, 15 Apr 2017 12:30:09 +0000 (UTC)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19])
	by lists.denx.de (Postfix) with ESMTPS id 991ACC21C3C
	for <u-boot@lists.denx.de>; Sat, 15 Apr 2017 12:30:05 +0000 (UTC)
Received: from LT002.fritz.box ([95.222.184.236]) by mail.gmx.com (mrgmx002
	[212.227.17.190]) with ESMTPSA (Nemesis) id
	0MOx4J-1cvmLC0Er9-006NjJ; Sat, 15 Apr 2017 14:30:05 +0200
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
To: Marek Vasut <marex@denx.de>
Date: Sat, 15 Apr 2017 14:29:54 +0200
Message-Id: <20170415122954.18175-1-xypron.glpk@gmx.de>
X-Mailer: git-send-email 2.11.0
X-Provags-ID: V03:K0:FsA2Vs1dTbx2Vse/N0lkoK/qw1Q2WCjnym9a1MXvYQbjB5L8vML
	2v8pkMpCaZnomyphWkXllPGvdVE+7VSMUBHBz8THqMtjZfAqbAVOBNfziHWGRf8FBC8BvTI
	ia6ejvEJcfMyiVd7+w7kWG/2M1s9QnIKN+L/qcJc+Ix2Heh5SHoKBKY63RTDpxh9pwIdvUp
	YZiW+DsgDM0E/C1k53g6A==
X-UI-Out-Filterresults: notjunk:1; V01:K0:N60EljvtObY=:Y5B0eTJ+mtpVqik6Rh+ZQf
	xfUlBajJb7ql1p8alaLVX/8XoGTjpXT67BQrHZVLjD0v8jwFsclXswQs9o8eDRQVt7AU6lMwL
	Y3Pem+RP3zoEDD82/S/42UqTvfla8XQGklW3SxMRMrCAWHUqPHwIzx8aSxuNzhjJOr5IAcZod
	Gh5mS7rPvPBEFIPT66sdwCy09thZVpHVDu7KHf5V20ns7Gw+55/Z956nWv9IF7YlfAW1ExJDJ
	fN3yps+j2kwmna1TdG42mvgZbHByIxrtKxfHQmzfInjuB38LRNIVzq9aoiaKY5vb15WJhrpno
	vyuxp0kb8f4fEB+78m6a6L7t4KkoCOUOZyk5BqoZ0iR//p/ZfNBhwdLaw5Zq1Q/4agbv95Eqm
	I51ay8v2yjkVprL0oj70jPLF0htJ5EqSPMMmOR/yqZNSy0khzEh64krbb/kN6ShtOklj+E0Nu
	vbaXK9v1OYOlW+ldALHlFXkPoWiBY9f8+tDncmb9tipWr3YVJxuWa4VOX+PtjqrUg5IP+RVGG
	f9MObL+xNOk23/EzExODkOlPm+22epTL6sg7hPpcm3T3unxIQOo814iSYTgNZ/q5vc3+WaDPB
	jowL0Nw2VPTstWSn9GyKnll3DE7nz9ZUZAfYXaGI/940LFDR19mk1L+McW7dK26TTVcUexNR6
	JWt6XRj3IeQgf7pr1W7LR1wAX1ie/8Xxh2Mv72Q4+YR1IfTMzwYVqB4cm5gY8dP+LC/zea7q1
	XXeIR3eQ3cFlO17ksn0Vc4T7pBAV41JfdrNLBf7ppd4ghN7bSuOPt2n2Wfg=
Cc: u-boot@lists.denx.de, Heinrich Schuchardt <xypron.glpk@gmx.de>
Subject: [U-Boot] [RFC 1/1] usb: musb: avoid out of bound access in
	udc_setup_ep
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

For id = 15 an out of bound access occurs in udc_setup_ep().
Increase the size of epinfo[] from 30 to 32 to encompass
ids 0..15.

The problem was highlighted by cppcheck.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
I have no hardware for testing the patch.
Please, review thoroughly.
---
 drivers/usb/musb/musb_udc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/musb/musb_udc.c b/drivers/usb/musb/musb_udc.c
index 87640f4e32..d643334a2e 100644
--- a/drivers/usb/musb/musb_udc.c
+++ b/drivers/usb/musb/musb_udc.c
@@ -85,7 +85,7 @@ do {									\
 /* static implies these initialized to 0 or NULL */
 static int debug_setup;
 static int debug_level;
-static struct musb_epinfo epinfo[MAX_ENDPOINT * 2];
+static struct musb_epinfo epinfo[MAX_ENDPOINT * 2 + 2];
 static enum ep0_state_enum {
 	IDLE = 0,
 	TX,
@@ -944,7 +944,7 @@ int udc_init(void)
 	musbr = musb_cfg.regs;
 
 	/* Initialize the endpoints */
-	for (ep_loop = 0; ep_loop < MAX_ENDPOINT * 2; ep_loop++) {
+	for (ep_loop = 0; ep_loop <= MAX_ENDPOINT * 2; ep_loop++) {
 		epinfo[ep_loop].epnum = (ep_loop / 2) + 1;
 		epinfo[ep_loop].epdir = ep_loop % 2; /* OUT, IN */
 		epinfo[ep_loop].epsize = 0;