[PATCH] usb: gadget: aspeed_udc: validate endpoint index for ast udc
Andrew Jeffery
andrew at codeconstruct.com.au
Mon Jun 24 10:52:34 AEST 2024
On Sat, 2024-06-22 at 17:56 +0800, Ma Ke wrote:
> We should verify the bound of the array to assure that host
> may not manipulate the index to point past endpoint array.
>
> Signed-off-by: Ma Ke <make24 at iscas.ac.cn>
> ---
> drivers/usb/gadget/udc/aspeed_udc.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/usb/gadget/udc/aspeed_udc.c b/drivers/usb/gadget/udc/aspeed_udc.c
> index 3916c8e2ba01..95060592c231 100644
> --- a/drivers/usb/gadget/udc/aspeed_udc.c
> +++ b/drivers/usb/gadget/udc/aspeed_udc.c
> @@ -1009,6 +1009,8 @@ static void ast_udc_getstatus(struct ast_udc_dev *udc)
> break;
> case USB_RECIP_ENDPOINT:
> epnum = crq.wIndex & USB_ENDPOINT_NUMBER_MASK;
> + if (epnum >= USB_MAX_ENDPOINTS)
Shouldn't this be `epnum >= AST_UDC_NUM_ENDPOINTS`? Further,
USB_MAX_ENDPOINTS doesn't appear to be defined here?
What steps did you take to test this patch?
Andrew
More information about the Linux-aspeed
mailing list