USB: gadget: validate endpoint index for xilinx udc

commit 7f14c7227f342d9932f9b918893c8814f86d2a0d upstream.

Assure that host may not manipulate the index to point
past endpoint array.

Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/gadget/udc/udc-xilinx.c b/drivers/usb/gadget/udc/udc-xilinx.c
index fb4ffed..9cf4373 100644 (file)
--- a/drivers/usb/gadget/udc/udc-xilinx.c
+++ b/drivers/usb/gadget/udc/udc-xilinx.c
@@ -1612,6 +1612,8 @@ static void xudc_getstatus(struct xusb_udc *udc)
                break;
        case USB_RECIP_ENDPOINT:
                epnum = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK;
+               if (epnum >= XUSB_MAX_ENDPOINTS)
+                       goto stall;
                target_ep = &udc->ep[epnum];
                epcfgreg = udc->read_fn(udc->addr + target_ep->offset);
                halt = epcfgreg & XUSB_EP_CFG_STALL_MASK;
@@ -1679,6 +1681,10 @@ static void xudc_set_clear_feature(struct xusb_udc *udc)
        case USB_RECIP_ENDPOINT:
                if (!udc->setup.wValue) {
                        endpoint = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK;
+                       if (endpoint >= XUSB_MAX_ENDPOINTS) {
+                               xudc_ep0_stall(udc);
+                               return;
+                       }
                        target_ep = &udc->ep[endpoint];
                        outinbit = udc->setup.wIndex & USB_ENDPOINT_DIR_MASK;
                        outinbit = outinbit >> 7;