From 00ee7a37fdc3ed9bc6315f8af0270f2df55437d7 Mon Sep 17 00:00:00 2001 From: Octavian Purdila Date: Tue, 18 Nov 2014 14:57:59 +0200 Subject: [PATCH] mfd: dln2: Add a limit check for invalid echo The echo field in dln2_transfer_complete comes directly from an USB transfer and we should not trust it is valid. Reported-by: Dan Carpenter Signed-off-by: Octavian Purdila Signed-off-by: Lee Jones --- drivers/mfd/dln2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c index cf22841..df2fda9 100644 --- a/drivers/mfd/dln2.c +++ b/drivers/mfd/dln2.c @@ -195,6 +195,9 @@ static bool dln2_transfer_complete(struct dln2_dev *dln2, struct urb *urb, struct dln2_rx_context *rxc; bool valid_slot = false; + if (rx_slot >= DLN2_MAX_RX_SLOTS) + goto out; + rxc = &rxs->slots[rx_slot]; /* @@ -210,6 +213,7 @@ static bool dln2_transfer_complete(struct dln2_dev *dln2, struct urb *urb, } spin_unlock(&rxs->lock); +out: if (!valid_slot) dev_warn(dev, "bad/late response %d/%d\n", handle, rx_slot); -- 2.7.4