Received: by 10.213.65.68 with SMTP id h4csp648506imn;
        Tue, 20 Mar 2018 11:44:18 -0700 (PDT)
X-Google-Smtp-Source: AG47ELsejR1o3WzzGad5jHt3nVVJofFjzRqydohBMu1wQ1ISwiIAn7R0Ogp5S5o2cys8hd0am7A0
X-Received: by 10.101.80.68 with SMTP id k4mr9649989pgo.137.1521571458414;
        Tue, 20 Mar 2018 11:44:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521571458; cv=none;
        d=google.com; s=arc-20160816;
        b=ZGUfB9guimnfz3hNB5pzjVl9IJxl6qb7LO6+nNKR71rq5RHRw8id8RyaB9ybFyHR7k
         blE0Oe/RT12X8G1WgzNlonVRxRct/eIiqnoL351Fvs0iwkCS2N+pMUwgriIfSzPyIFBZ
         RvvNEXYdBJrjWv0WBzhocZi1gmcg+g2AXMa2T2mJCflNUm8J6HMzorrRgHSEogwMnsbb
         /oXmZpNikoMVVq6BehgSe+V22mBL7IutnBqn5j150OSqzDzAZt/BTCsaguSBKKGY26ac
         XsEgGfzKmFkG2UEvDwGU22UwyfJJQwmqArufUnKR2SQSfLYy/RVwBGX4GD+Ju5EiNV7T
         6eBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=HJI+r3oP0S1UbmVdr/zwLYh3kxvzk34OKrFDf6pgMAo=;
        b=LXXfDMOe4AXxA86l3TXWEt1ERu+LbZNFPr1U26/Qn5A1RUZaFYhY2URKE2daFFxh2I
         1Lg19HaqiqazBvbwa/lLdGAXhXGrEqMLpRX8YEW/kBFKrX4HOk0qKd6//ZVhAlv9KzjB
         M4GhxaMGMdP14oRYCQcm/1dKxd8T9SzhqyIj51CLwvIdNw2xi4JAMiUo+jvicNxSCA7M
         h2LDUbD4c2ETiIakxt0RG7rwzBkf8XGyYuq2Dhq3Yb9I3JFv1fVFhCHLSUdmlbVzLBcp
         pvPxHaHdbf9OOS3RAgNkxGKaZKg2dDnrfAKuhiskVc01JEjuN8Ae1v1pIs8rQmhQqwQb
         TREg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i5-v6si2188287plk.139.2018.03.20.11.44.01;
        Tue, 20 Mar 2018 11:44:18 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751552AbeCTSnC (ORCPT <rfc822;daisukeokaopensource@gmail.com>
        + 99 others); Tue, 20 Mar 2018 14:43:02 -0400
Received: from mout.gmx.net ([212.227.17.21]:36259 "EHLO mout.gmx.net"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751269AbeCTSm6 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 20 Mar 2018 14:42:58 -0400
Received: from localhost.localdomain ([109.40.65.65]) by mail.gmx.com
 (mrgmx101 [212.227.17.174]) with ESMTPSA (Nemesis) id
 0M9wrU-1ernhW2MOG-00B3ot; Tue, 20 Mar 2018 19:42:54 +0100
From:   Heinrich Schuchardt <xypron.glpk@gmx.de>
To:     Bin Liu <b-liu@ti.com>
Cc:     Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        Heinrich Schuchardt <xypron.glpk@gmx.de>
Subject: [PATCH v3 1/1] usb: musb: gadget: misplaced out of bounds check
Date:   Tue, 20 Mar 2018 19:42:48 +0100
Message-Id: <20180320184248.11962-1-xypron.glpk@gmx.de>
X-Mailer: git-send-email 2.16.2
X-Provags-ID: V03:K0:9XnyvMPYe6JMFnuduDFCnqECQzOZDYyw674KDKmco0sNszRhSSV
 DGLTH3AHsurNAR/HVVM+RlqfFV3YvJLtsWZMAFYRvAkWce6FsQrn9qANM0QuSt19FNhOEbO
 V6iwZX8KJsrb2DHwjMmQ6ENbDM/pQaSPgVLUJ+ssbjlkNT1Xv5ZtXQG7Oy3kj8WbsVGsC8L
 IYWhnd6qGQ8IwX524TAhA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:OXE0OytPgfk=:YDw4iMeQfQxicEF4K35Als
 zqGm+XCqZw2hoz5gPObRNYkpSq+pAs4yetepnRgedsSZX9QioJRbnu9rsFc55k8rCVRgcF8pc
 fc+r6GZGTEYcfErqc3BY7hpnqvoeu4whhZ/UCvAqHOdu9Xl9z55c+ESZUVyWfcmSVVEWRAtHm
 jc19c1p5NGqDJCxwPP7IjzbzJEYi5ziJPDA32+Ii3XYR4JH8UNG7PLAF2pPHWK74eWJfLExuu
 yLW/CS8kZim5N9JKKtGoLukpv1E3B2lF8lWyM6t6KnDm+dsGyb+UL7Vu31IK64qasj43OvuWd
 AjJ75aydp/CNohJBgmof/4ofjMDXi/VrG1Qhw3BUf43QIMuqNYBEBO8ejguniO8mqC1blpelh
 1hLT+91lsQ1ElxoNCj7CqOtTjkO5M5h8ZbutAEnktoC+/ISJjG/08Lx9QwYneX8E2sGoJdgGw
 G2kP659A3kywW5s4ojG+UT6IvrcFfPMTts180geSJJZZK7CXVZVXE8qUQUzy0QfssGqv7pAxU
 8galQKZvmwDLvkWx43TJ3nNo1FZPOXIFGNXJ9IIesR6UdVnrMsag0lA4UNs5VwS/TOvaTD29l
 Esz04uMfZxLrFZ/2C2pm9Uj7Wga/VjZUYaEZFl8OVqhxetco+RX0OABBn+L0gVDGvDx+gBHxZ
 a0/KfOOkUe04uaRZb1hKfz1BfVZeuK88JgbVvNEEb8cap7HfYHtgGj5OF2U99h61OghGuZYvs
 jHgpum4Qq7vQ1n/rPxRbaLiI2BN3RwOd/5a99ZBSy/STUlhqpG1NERQUYnJzQiEWQXymd0vQV
 Z/UcUs/eCYGqxDrTfo4b8Gl9fWVdg==
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

musb->endpoints[] has array size MUSB_C_NUM_EPS.
We must check array bounds before accessing the array and not afterwards.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
v3
	Remove superfluous braces.
v2
	Only the 4 low bits of epnum are relevant for indexing.
---
 drivers/usb/musb/musb_gadget_ep0.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/drivers/usb/musb/musb_gadget_ep0.c b/drivers/usb/musb/musb_gadget_ep0.c
index 18da4873e52e..91a5027b5c1f 100644
--- a/drivers/usb/musb/musb_gadget_ep0.c
+++ b/drivers/usb/musb/musb_gadget_ep0.c
@@ -89,15 +89,19 @@ static int service_tx_status_request(
 		}
 
 		is_in = epnum & USB_DIR_IN;
-		if (is_in) {
-			epnum &= 0x0f;
+		epnum &= 0x0f;
+		if (epnum >= MUSB_C_NUM_EPS) {
+			handled = -EINVAL;
+			break;
+		}
+
+		if (is_in)
 			ep = &musb->endpoints[epnum].ep_in;
-		} else {
+		else
 			ep = &musb->endpoints[epnum].ep_out;
-		}
 		regs = musb->endpoints[epnum].regs;
 
-		if (epnum >= MUSB_C_NUM_EPS || !ep->desc) {
+		if (!ep->desc) {
 			handled = -EINVAL;
 			break;
 		}
-- 
2.16.2