korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-12-13 14:04:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

USB: ehci_brcm_hub_control: Improve port index sanitizing

Browse Source 
Due to (wIndex & 0xff) - 1 can get an integer greater than 15, this
can cause array index to be out of bounds since the size of array
port_status is 15. This change prevents a possible out-of-bounds
pointer computation by forcing the use of a valid port number.

Reported-by: TCS Robot <tcs_robot@tencent.com>
Signed-off-by: Haimin Zhang <tcs.kernel@gmail.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20211113165320.GA59686@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Haimin Zhang 2021-11-13 11:53:20 -05:00 committed by Greg Kroah-Hartman
parent 4ce3b45704
commit 9933698f61
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/usb/host/ehci-brcm.c
View File

@ -62,8 +62,12 @@ static int ehci_brcm_hub_control(
u32 __iomem *status_reg;
unsigned long flags;
int retval, irq_disabled = 0;
u32 temp;
status_reg = &ehci->regs->port_status[(wIndex & 0xff) - 1];
temp = (wIndex & 0xff) - 1;
if (temp >= HCS_N_PORTS_MAX) /* Avoid index-out-of-bounds warning */
temp = 0;
status_reg = &ehci->regs->port_status[temp];
/*
* RESUME is cleared when GetPortStatus() is called 20ms after start