Received: by 10.213.65.68 with SMTP id h4csp1318126imn;
        Mon, 19 Mar 2018 00:13:47 -0700 (PDT)
X-Google-Smtp-Source: AG47ELsG67pbbvTzUrwo6Y7wzahzkXgxr4PxKb9RaLwIJEBT8OfSu5HBUnzopTauTwgPl5N86e0D
X-Received: by 2002:a17:902:3041:: with SMTP id u59-v6mr11107630plb.115.1521443626951;
        Mon, 19 Mar 2018 00:13:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521443626; cv=none;
        d=google.com; s=arc-20160816;
        b=ovxfyFjO+Ykq34E+yB87DqGtkYcKkquB441s+VVnz6M3OC4HLEdH8ehkeY4aEuDIwU
         zM+CEF7gP5rzA1zDIaFV4VXUURJKeb97qzztcnKNmg2vz/RnLj8YleCQZyM9S3H2LheZ
         Ioe54+NwJPuzXh6mLvFZHN2GCnhhJ/EFT8QzqN0p9HlaIv0u592BL3SGDlDD8PLt3sxK
         Ave08WAhRo1cIIlDXIMXI1ip+0hciQQTPQsWaX2IL28mZjyI0/CeTT8cv0Y2CO3jMXkY
         c0ysTtqWww2BLvujsw4QVu9fEr/GvFb2RrlhY0GDW+LrCr1R4WDSKavYeg2YUlIX9y8y
         f4yA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=0JcYsDD+CzvuXRrb2+gWeEsfm3CLs1YvoeMeml7cPh4=;
        b=a0XKHBwUGIUxa/ntwN/n5H+BX9pBnH2q0ePEYgazu7+3pIYecgV6Clqcp7nBSpl0rH
         6dh3bWf+Y6aHRTyyR02DhRiO3QCjKc7vAhe3iqfupdaDzqyHrGQjgtmcwGgVHe1uW/uh
         Jj5ATH3q01HPpNZ+DmpbOkOiOvAQZhy4TKqCXaRcCnsQ5HAwdjLzxblsBKIXpuq0nA52
         ND7FpkO7LTgaIZFJNOXKl8zIM38wCqIDtgAsvf+oQLeHY8r0soY02ayrjDAyQQG18Hk3
         Ufxgebm3nmDgvVNQkOmslkXIWe5pdz6zJXJ2Sp3BKwAIRrfDZhy4Ki/qCZ6jxmYh4YE0
         GULA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d9si8927358pgo.687.2018.03.19.00.13.32;
        Mon, 19 Mar 2018 00:13:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755321AbeCSHMj (ORCPT <rfc822;austinkernel.kim@gmail.com>
        + 99 others); Mon, 19 Mar 2018 03:12:39 -0400
Received: from mout.gmx.net ([212.227.15.15]:40445 "EHLO mout.gmx.net"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1754531AbeCSHMi (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 19 Mar 2018 03:12:38 -0400
Received: from LPT2.fritz.box ([62.143.244.228]) by mail.gmx.com (mrgmx002
 [212.227.17.184]) with ESMTPSA (Nemesis) id 0LtrKX-1eW5R62CaD-011Ccz; Mon, 19
 Mar 2018 08:12:33 +0100
From:   Heinrich Schuchardt <xypron.glpk@gmx.de>
To:     Bin Liu <b-liu@ti.com>
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        Heinrich Schuchardt <xypron.glpk@gmx.de>
Subject: [PATCH 1/1] usb: musb: gadget: misplaced out of bounds check
Date:   Mon, 19 Mar 2018 08:12:28 +0100
Message-Id: <20180319071228.11051-1-xypron.glpk@gmx.de>
X-Mailer: git-send-email 2.16.2
X-Provags-ID: V03:K0:k0ePUfNbB+CRys/P6swwWzOg+QuQzPgbmwskRb9FBggHclhVSZj
 yhfuKCWo+7oEaA99NbqSGqUHpnukTd3HJqWeeUFvljSSu5XGaAWgyPFd43wlipAu7kzmcam
 S2BlnRjDROJfO+KWlG7D99bEwTEUOW/XxC0JeS5e7v2g54uvAG5HKJ6bIonN+7ArocpL9z9
 QS4v0rS1YaG607uKkX4TA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:e3sWqG0qMEs=:/ovch+g7LinaqnCCePinjV
 OOAcjd3kt1+Uu3oDhVTw17rvSp0nbvF3gdIjoMt/4X8RlNIK4A71xTW1YZ7QJynTJHsgd+iFB
 fcvaEDOyKnnr8td84RWHOrM2AKe+v0hGDsWvrbLdrwJJDOW+NveLeNtM9ZB1XGozGeF/XKB1o
 R5vvCK4sYXD1tEM+B+mpede4I8xik4IDN4azf7wgeqYmWd8qp/JjrE5fecECrGV/+0aMu3H25
 Ii0InT3+M52GNoye5YvI6d0pHL7dVIYmpZGDzKnVXnHppMRr59vUi/epBiOTz+RrvuDn0ePKL
 qFJ8Md1LpvpUY9xzBQOKRGI5fqR/AJOAlK21GwS6KJpzvZukgiCbSyvqf0lsmSwXHWIzqHSHQ
 bFyTNJhCScbi6o8/DjupIqlbD6yOwRQYnIleviLMhS/WeoSELEtwHdL+b3G0j8EVG5StdMrCa
 tb3aQYl3va3xh8/OaSYxU61OJGEggURfMAuD2XV0neQRDmXMh1NtNt/al3c8GlN6ANMjW2XT7
 71g90vSFNsDUS6Kxut8iS9jYf99aJIKabbPa5pDqosQ1+fi3ZMw0YUWmj3+X11mdt2UipSAcx
 rPFfg2E8LyWhEW/M9oMWYCrOJFUL/u0ZhExySK2XKfDHw0B+2MSegDc1ld0pTSto7jEPYDdYe
 F+quV+XjkAIfPrfPsztbvKERIeAiXK4z6zlS5EkvWbhI/fpUBo4stT996aObIb/+xgOm2Zi4p
 /10ZcNopYcZ3o7xhE4bfM0XbUXcmhUHEn41eKUEUH3ujIhikN6xVuaZEavbp3K7NJj9uf2eIn
 MkKv6fb5IckkZYmkBcP+T6jczoFLA==
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

musb->endpoints[] has array size MUSB_C_NUM_EPS.
We must check array bounds before accessing the array and not afterwards.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
 drivers/usb/musb/musb_gadget_ep0.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/musb/musb_gadget_ep0.c b/drivers/usb/musb/musb_gadget_ep0.c
index 18da4873e52e..482e7c2f8dc7 100644
--- a/drivers/usb/musb/musb_gadget_ep0.c
+++ b/drivers/usb/musb/musb_gadget_ep0.c
@@ -88,6 +88,11 @@ static int service_tx_status_request(
 			break;
 		}
 
+		if (epnum >= MUSB_C_NUM_EPS) {
+			handled = -EINVAL;
+			break;
+		}
+
 		is_in = epnum & USB_DIR_IN;
 		if (is_in) {
 			epnum &= 0x0f;
@@ -97,7 +102,7 @@ static int service_tx_status_request(
 		}
 		regs = musb->endpoints[epnum].regs;
 
-		if (epnum >= MUSB_C_NUM_EPS || !ep->desc) {
+		if (!ep->desc) {
 			handled = -EINVAL;
 			break;
 		}
-- 
2.16.2