From patchwork Mon Mar 19 06:50:02 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Heinrich Schuchardt <xypron.glpk@gmx.de>
X-Patchwork-Id: 887589
X-Patchwork-Delegate: marek.vasut@gmail.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.denx.de
	(client-ip=81.169.180.215; helo=lists.denx.de;
	envelope-from=u-boot-bounces@lists.denx.de;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=gmx.de
Received: from lists.denx.de (dione.denx.de [81.169.180.215])
	by ozlabs.org (Postfix) with ESMTP id 404RXD3Qqcz9sVY
	for <incoming@patchwork.ozlabs.org>;
	Mon, 19 Mar 2018 17:50:20 +1100 (AEDT)
Received: by lists.denx.de (Postfix, from userid 105)
	id DFE6AC21DA2; Mon, 19 Mar 2018 06:50:18 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=FREEMAIL_FROM,
	RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL autolearn=unavailable autolearn_force=no
	version=3.4.0
Received: from lists.denx.de (localhost [IPv6:::1])
	by lists.denx.de (Postfix) with ESMTP id 7D75FC21C51;
	Mon, 19 Mar 2018 06:50:15 +0000 (UTC)
Received: by lists.denx.de (Postfix, from userid 105)
	id 2D3D7C21C50; Mon, 19 Mar 2018 06:50:13 +0000 (UTC)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20])
	by lists.denx.de (Postfix) with ESMTPS id CF555C21C27
	for <u-boot@lists.denx.de>; Mon, 19 Mar 2018 06:50:12 +0000 (UTC)
Received: from LPT2.fritz.box ([62.143.244.228]) by mail.gmx.com (mrgmx102
	[212.227.17.174]) with ESMTPSA (Nemesis) id 0MMYZG-1eyKza13TK-008GQh;
	Mon, 19 Mar 2018 07:50:12 +0100
From: Heinrich Schuchardt <xypron.glpk@gmx.de>
To: Marek Vasut <marex@denx.de>
Date: Mon, 19 Mar 2018 07:50:02 +0100
Message-Id: <20180319065002.2495-1-xypron.glpk@gmx.de>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180318131843.20458-1-xypron.glpk@gmx.de>
References: <20180318131843.20458-1-xypron.glpk@gmx.de>
X-Provags-ID: V03:K0:iQU86q/gYFnu6R8bU4PxhIMmBMb28gh4ZOTtw18fPEV1WLIPNf4
	MpknFf/gMuKgtRuhrxTgLFH1sCdbTGjnn8ZRJhdJ849zUq7eI54mKXfNqHt77pbuZ6xmnJl
	My1zGRPY+VGNAkt6FuHwv+FROigLyCckKW9+y13A9kapttKoMv2THiYEoQzSbZnu2Yb/L5a
	YSvoB9obvtBOlQA2RMTzg==
X-UI-Out-Filterresults: notjunk:1; V01:K0:zaqrvWtLp1A=:/P30xXKiiRgsVrJG/+bPCc
	1ze7CjUuoVdWl7ks8Q8JMAuhQrraJeR57EAiNzb7wGj+dogKN3MDZQ8PnncLVJ+JSKyLBN3U5
	G2j6VgRec1EQJIZUxLMTPev3tACUpK/VOyvHg0xFe0pnFip676Z5MgdhQCX1yazSdY3avLLyv
	PQECQ8bUzUJMjqfcYE1moy4JkOWNgz7gXfJQg34u6ATNH5MsuDuVNG8+u6SBIXFGggtqrME4Y
	/hZhCWyTSiXP2avd/ljl15PtSeaNDwo6sjGFXxhveLNETduIKPS5tjetcjecbq8xU16z3ulnM
	wjv1rbBYu65kduA3dsFBHnbmO48JV+PFGjmm2UUlPe6BT+EHjHCqO6xLzhi60JmWlfCHyGtNw
	0ByOQT+yiMWk9lIbRzoWcf17Ddz5k5txUZV2qZEAbQwtDB2ii/HEyalD608euP3Qr5zfGkV3t
	IqAgPE/P/q7IZp8HkLW6vwhY/laNKST/rvcJjMGWSA6YCZGoDWlBU4tg6GyXy4FjJk/sJKpu0
	q0SSer2s9wwwCnFOzqpLugcXzkxu7RWXNEPFssIAp+VNDxGohYBua9UkvSg6SmCTgxEJ+oyF2
	o305v4XU/lM0yiq7rUMv5ZNqik2N2HZdzeuYpc17LcsvQYOtJPjqc7FNUJFWIeZncF/PgvmgC
	rP1xf2GXNcYQQZmt4etzbegkPs6jE94HsFCChsphYP2JHA/S2L5WhJbi+Mjm92uFMEMF3Wf34
	zxUlnozskDgCiLgufw5BrqP+4bY5b8hzaepCSngGQjCymfx7k7ahUM9rAEfBzJg7CCbygcNta
	xAjffD4pK61rq5bOqHsVzSjMwIpig==
Cc: u-boot@lists.denx.de, Heinrich Schuchardt <xypron.glpk@gmx.de>
Subject: [U-Boot] [PATCH v2 1/1] usb: musb-new: misplaced out of bounds check
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

musb->endpoints[] has array size MUSB_C_NUM_EPS.
We must check array bounds before accessing the array and not afterwards.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
v2
	do not move the ep->desc check
---
 drivers/usb/musb-new/musb_gadget_ep0.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/musb-new/musb_gadget_ep0.c b/drivers/usb/musb-new/musb_gadget_ep0.c
index 3cfcb2205a..aa57a7767d 100644
--- a/drivers/usb/musb-new/musb_gadget_ep0.c
+++ b/drivers/usb/musb-new/musb_gadget_ep0.c
@@ -95,6 +95,11 @@ static int service_tx_status_request(
 			break;
 		}
 
+		if (epnum >= MUSB_C_NUM_EPS) {
+			handled = -EINVAL;
+			break;
+		}
+
 		is_in = epnum & USB_DIR_IN;
 		if (is_in) {
 			epnum &= 0x0f;
@@ -104,7 +109,7 @@ static int service_tx_status_request(
 		}
 		regs = musb->endpoints[epnum].regs;
 
-		if (epnum >= MUSB_C_NUM_EPS || !ep->desc) {
+		if (!ep->desc) {
 			handled = -EINVAL;
 			break;
 		}