From: Kevin Hilman Date: Mon, 15 Sep 2008 10:09:31 +0000 (+0200) Subject: MUSB: Add sanity check for maximum number of endpoints X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=02582b92f60fa33b68b90263013e98550286db0a;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git MUSB: Add sanity check for maximum number of endpoints There is no check if platform code passes in more endpoints (num_eps) than the maximum number of enpoints (MUSB_C_NUM_EPS.) The result is that allocate_instance() happily writes past the end of 'struct musb' corrupting memory. This patch adds a BUG() if the platform code requests more than the max. Signed-off-by: Kevin Hilman Acked-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c index 128e949db47..bd82253a332 100644 --- a/drivers/usb/musb/musb_core.c +++ b/drivers/usb/musb/musb_core.c @@ -1806,6 +1806,7 @@ allocate_instance(struct device *dev, musb->ctrl_base = mbase; musb->nIrq = -ENODEV; musb->config = config; + BUG_ON(musb->config->num_eps > MUSB_C_NUM_EPS); for (epnum = 0, ep = musb->endpoints; epnum < musb->config->num_eps; epnum++, ep++) {