From patchwork Wed Jun 26 09:46:13 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: =?utf-8?q?=C5=81ukasz_Majewski?=
 <l.majewski@samsung.com>
X-Patchwork-Id: 254678
X-Patchwork-Delegate: marek.vasut@gmail.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from theia.denx.de (theia.denx.de [85.214.87.163])
	by ozlabs.org (Postfix) with ESMTP id 4C06D2C0087
	for <incoming@patchwork.ozlabs.org>;
	Wed, 26 Jun 2013 19:47:11 +1000 (EST)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id C05CA4A02D;
	Wed, 26 Jun 2013 11:47:07 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at theia.denx.de
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id dxKOnQYcW4Kz; Wed, 26 Jun 2013 11:47:07 +0200 (CEST)
Received: from theia.denx.de (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id AC4E54A02C;
	Wed, 26 Jun 2013 11:47:02 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id BECC64A02C
	for <u-boot@lists.denx.de>; Wed, 26 Jun 2013 11:46:56 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at theia.denx.de
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id mv9jTLmXx57w for <u-boot@lists.denx.de>;
	Wed, 26 Jun 2013 11:46:50 +0200 (CEST)
X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5
	NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested)
Received: from mailout1.samsung.com (mailout1.samsung.com [203.254.224.24])
	by theia.denx.de (Postfix) with ESMTP id 838EE4A02A
	for <u-boot@lists.denx.de>; Wed, 26 Jun 2013 11:46:44 +0200 (CEST)
Received: from epcpsbgm1.samsung.com (epcpsbgm1 [203.254.230.26])
	by mailout1.samsung.com
	(Oracle Communications Messaging Server 7u4-24.01(7.0.4.24.0) 64bit
	(built Nov
	17 2011)) with ESMTP id <0MOZ00JN2V5Q93Z0@mailout1.samsung.com> for
	u-boot@lists.denx.de; Wed, 26 Jun 2013 18:46:38 +0900 (KST)
X-AuditID: cbfee61a-b7f3b6d000006edd-61-51cab87e254c
Received: from epmmp1.local.host ( [203.254.227.16])
	by epcpsbgm1.samsung.com (EPCPMTA) with SMTP id 2A.F6.28381.E78BAC15;
	Wed, 26 Jun 2013 18:46:38 +0900 (KST)
Received: from mcdsrvbld02.digital.local ([106.116.37.23])
	by mmp1.samsung.com (Oracle Communications Messaging Server 7u4-24.01
	(7.0.4.24.0) 64bit (built Nov 17 2011))
	with ESMTPA id <0MOZ002H4V54H4P0@mmp1.samsung.com>; Wed,
	26 Jun 2013 18:46:38 +0900 (KST)
From: Lukasz Majewski <l.majewski@samsung.com>
To: u-boot@lists.denx.de
Date: Wed, 26 Jun 2013 11:46:13 +0200
Message-id: <1372239973-25200-1-git-send-email-l.majewski@samsung.com>
X-Mailer: git-send-email 1.7.10
X-Brightmail-Tracker: 
 H4sIAAAAAAAAA+NgFvrDJMWRmVeSWpSXmKPExsVy+t9jAd26HacCDbauMLPYcec+s8XZpjfs
	Fm8ebma0eNPWyGix6/ZkFovJi+czW7zd28nuwO4x7+dEJo95s06weJy9s4PRo2/LKkaP4ze2
	MwWwRnHZpKTmZJalFunbJXBl/Nn7iK3gAEfFxnNLWRoYe9m7GDk5JARMJP49OMMKYYtJXLi3
	nq2LkYtDSGARo8TF4xPYIZwuJok9Lw4xg1SxCehJfL77lAnEFhGQkPjVf5URpIhZ4CGjxM+l
	Z4AcDg5hAR+JCSulQGpYBFQlrkw+zQYS5hVwk+ie6gKxTF7i6f0+tgmM3AsYGVYxiqYWJBcU
	J6XnGuoVJ+YWl+al6yXn525iBIfJM6kdjCsbLA4xCnAwKvHwKmw9GSjEmlhWXJl7iFGCg1lJ
	hPfN/FOBQrwpiZVVqUX58UWlOanFhxilOViUxHkPtFoHCgmkJ5akZqemFqQWwWSZODilGhgv
	RhlGc9w/GWUjvP2jWsSJziupO/suv184R/pv246QDV9kCpyeL9i9Seul6FYZvQ11IpK6H0Ts
	q73K1nGKXp1dNMn3/G53Zo5CdaULcTN0vFZZF7yWEWV6e2lyt+5E7TMpfTpvZm9+99vg1F4O
	LnVTm+mJc84Uv5t7d72o/jehZAW2W2EKun5KLMUZiYZazEXFiQD2BM3nDwIAAA==
Cc: Marek Vasut <marex@denx.de>,
	Pantelis Antoniou <panto@antoniou-consulting.com>,
	Kyungmin Park <kyungmin.park@samsung.com>,
	Tom Rini <trini@ti.com>, Heiko Schocher <hs@denx.de>
Subject: [U-Boot] [PATCH] dfu:function: Fix number of allocated DFU function
	pointers
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <http://lists.denx.de/mailman/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <http://lists.denx.de/mailman/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Sender: u-boot-bounces@lists.denx.de
Errors-To: u-boot-bounces@lists.denx.de

This subtle change fix problem with too small amount of allocated
memory to store DFU function pointers.

One needs to allocate extra space for sentinel NULL pointer in this array
of function pointers.

With the previous code, the NULL value overwrites malloc internal data
and afterwards free(f_dfu->function) crashes.

Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Marek Vasut <marex@denx.de>
Acked-by: Heiko Schocher <hs@denx.de>
---
 drivers/usb/gadget/f_dfu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c
index 178a004..e3fa0e3 100644
--- a/drivers/usb/gadget/f_dfu.c
+++ b/drivers/usb/gadget/f_dfu.c
@@ -589,7 +589,7 @@ static int dfu_prepare_function(struct f_dfu *f_dfu, int n)
 	struct usb_interface_descriptor *d;
 	int i = 0;
 
-	f_dfu->function = calloc(sizeof(struct usb_descriptor_header *), n);
+	f_dfu->function = calloc(sizeof(struct usb_descriptor_header *), n + 1);
 	if (!f_dfu->function)
 		goto enomem;