usb: gadget: aspeed_udc: validate endpoint index for ast udc

[ Upstream commit ee0d382feb ]

We should verify the bound of the array to assure that host
may not manipulate the index to point past endpoint array.

Found by static analysis.

Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Reviewed-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Acked-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Link: https://lore.kernel.org/r/20240625022306.2568122-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Ma Ke 2024-06-25 10:23:06 +08:00 committed by Greg Kroah-Hartman
parent 4292441b87
commit b2a50ffdd1

View File

@ -1009,6 +1009,8 @@ static void ast_udc_getstatus(struct ast_udc_dev *udc)
break;
case USB_RECIP_ENDPOINT:
epnum = crq.wIndex & USB_ENDPOINT_NUMBER_MASK;
if (epnum >= AST_UDC_NUM_ENDPOINTS)
goto stall;
status = udc->ep[epnum].stopped;
break;
default: