Skip to content

Commit

Permalink
MUSB: Add sanity check for maximum number of endpoints
Browse files Browse the repository at this point in the history 
There is no check if platform code passes in more endpoints (num_eps)
than the maximum number of enpoints (MUSB_C_NUM_EPS.)  The result is
that allocate_instance() happily writes past the end of 'struct musb'
corrupting memory.

This patch adds a BUG() if the platform code requests more than the max.

Signed-off-by: Kevin Hilman <khilman@deeprootsystems.com>
Acked-by: Felipe Balbi <felipe.balbi@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  • Loading branch information
Kevin Hilman authored and Greg Kroah-Hartman committed Oct 17, 2008
1 parent cede969 commit 02582b9
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions drivers/usb/musb/musb_core.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1806,6 +1806,7 @@ allocate_instance(struct device *dev,
musb->ctrl_base = mbase;
musb->nIrq = -ENODEV;
musb->config = config;
BUG_ON(musb->config->num_eps > MUSB_C_NUM_EPS);
for (epnum = 0, ep = musb->endpoints;
epnum < musb->config->num_eps;
epnum++, ep++) {
Expand Down

0 comments on commit 02582b9

Please sign in to comment.