Received: by 10.213.65.68 with SMTP id h4csp1643679imn; Mon, 19 Mar 2018 09:28:47 -0700 (PDT) X-Google-Smtp-Source: AG47ELvLQRVau6JT1FJT9APYYi//Oiuqq5lIS1l8cMM4/C16Dw6DEa5kF+/KIIP2/EyCCTZf/luz X-Received: by 2002:a17:902:444:: with SMTP id 62-v6mr13385520ple.127.1521476927821; Mon, 19 Mar 2018 09:28:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521476927; cv=none; d=google.com; s=arc-20160816; b=DtWwr42W4AsOEnzCUk7UG312vsGzKAmew0+WyjbPLassokNyofaECd2dzEkDbrLyXo mH5QHVFWWiH16UVYgF/zTrJ7yshoAy39cPJX0qzfKTbkNQvJeFrcg3m5HgcLYuucu88P JVmRJjSLoUMYJsUnWR3kDGY4wptnrfHXOkcwhh9tEL/18+r8zJsQyQ74musrbC0nbHA5 fj/chU2fDcrIlXSwCzbdpXmU5dztidST9q3+hVvnYFtln3tZ3/q2Ez6v8SbbV1ZLfOtl aruBStCGbPUvDcgQDJ9vqnRKRfw8cqaYvhewBAuRvi0nQN12u7+MTgUuIxHt59fk1oJO Hq4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=Nsuvr08LkYLVjmHJbTqBHQbPdscPTTwKIKJfhJ7JJUg=; b=LfNFAx43yT12iXPo75NptBK8xKpdx7r2CzB1y6uIbKrT4qsWzw/GPfrAfXi2XBJyEZ An1KMHQLbMd0SyXwW/v+S/sx4GYOP7UH7W5HKWji9bo+mQP4v6TBBaGGJTxIUpomM4ZZ DwcY+P2tn1EWOMxDDBw+ZiWa/KKhOIEZHNL83uqATIqoA9Lg7T7/odeIiz6B1KTC1uf7 +NHWL60z2BLla0f6n9dBVGfZhO7glrcZm5BJ33h9OabbX9C/UgBUv9EewivCaCufv5gb YQGwwElT01wJC2xer8ov4pOk5eZk8cUoiwhePs8lkpcLWZSOmLYN1q2topqsLeISPBGr 2MPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ti.com header.s=ti-com-17Q1 header.b=ucDr3Yad; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=ti.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o187si183253pga.528.2018.03.19.09.28.32; Mon, 19 Mar 2018 09:28:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ti.com header.s=ti-com-17Q1 header.b=ucDr3Yad; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=ti.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966945AbeCSQ04 (ORCPT + 99 others); Mon, 19 Mar 2018 12:26:56 -0400 Received: from lelnx194.ext.ti.com ([198.47.27.80]:50330 "EHLO lelnx194.ext.ti.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965769AbeCSQ0x (ORCPT ); Mon, 19 Mar 2018 12:26:53 -0400 Received: from dlelxv90.itg.ti.com ([172.17.2.17]) by lelnx194.ext.ti.com (8.15.1/8.15.1) with ESMTP id w2JGQnFw011674; Mon, 19 Mar 2018 11:26:49 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ti.com; s=ti-com-17Q1; t=1521476809; bh=BkjNilFM25v5jK3DidFCrjrucG20CKL2vu6d3o8NJjc=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=ucDr3YadVLyhvJQdzhDptTcV0zJE30rv6p8jVkIlGdUyqCA7DKYvlBlqjdQl8qel8 4hnPYO7R7FQMejRVg1jDnTJCZyxS7VdAJpgO8jQx7FluWrTXZbtWJ9Gh4BdtSudcch N9szcxgvMjg2XOKyE4avaUzahjy78+MJSwbC0uVk= Received: from DLEE107.ent.ti.com (dlee107.ent.ti.com [157.170.170.37]) by dlelxv90.itg.ti.com (8.14.3/8.13.8) with ESMTP id w2JGQnS6005529; Mon, 19 Mar 2018 11:26:49 -0500 Received: from DLEE101.ent.ti.com (157.170.170.31) by DLEE107.ent.ti.com (157.170.170.37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.35; Mon, 19 Mar 2018 11:26:49 -0500 Received: from dlep32.itg.ti.com (157.170.170.100) by DLEE101.ent.ti.com (157.170.170.31) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.1261.35 via Frontend Transport; Mon, 19 Mar 2018 11:26:49 -0500 Received: from localhost (ileax41-snat.itg.ti.com [10.172.224.153]) by dlep32.itg.ti.com (8.14.3/8.13.8) with ESMTP id w2JGQn3t002680; Mon, 19 Mar 2018 11:26:49 -0500 Date: Mon, 19 Mar 2018 11:26:49 -0500 From: Bin Liu To: Heinrich Schuchardt CC: Greg Kroah-Hartman , , Subject: Re: [PATCH 1/1] usb: musb: gadget: misplaced out of bounds check Message-ID: <20180319162649.GT14921@uda0271908> Mail-Followup-To: Bin Liu , Heinrich Schuchardt , Greg Kroah-Hartman , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org References: <20180319071228.11051-1-xypron.glpk@gmx.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20180319071228.11051-1-xypron.glpk@gmx.de> User-Agent: Mutt/1.5.21 (2010-09-15) X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Mon, Mar 19, 2018 at 08:12:28AM +0100, Heinrich Schuchardt wrote: > musb->endpoints[] has array size MUSB_C_NUM_EPS. > We must check array bounds before accessing the array and not afterwards. > > Signed-off-by: Heinrich Schuchardt > --- > drivers/usb/musb/musb_gadget_ep0.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/musb/musb_gadget_ep0.c b/drivers/usb/musb/musb_gadget_ep0.c > index 18da4873e52e..482e7c2f8dc7 100644 > --- a/drivers/usb/musb/musb_gadget_ep0.c > +++ b/drivers/usb/musb/musb_gadget_ep0.c > @@ -88,6 +88,11 @@ static int service_tx_status_request( > break; > } > > + if (epnum >= MUSB_C_NUM_EPS) { only the LSB 4 bits are the EP number, bit7 is the direction flag. So you can only compare the LSB 4 bits here. Regards, -Bin.