Fix out of bound access of ep array.

When processing USB_REQ_CLEAR_FEATURE, USB_REQ_SET_FEATURE, and
USB_REQ_GET_STATUS packets in dwc2_ep0_setup an out of bounds access
can occur. This is caused by the wIndex field of the usb control packet
being used as an index into an array whose size is DWC2_MAX_ENDPOINTS (4).

Signed-off-by: Alison Huffman <alisn@google.com>

diff --git a/drivers/usb/gadget/dwc2_udc_otg_xfer_dma.c b/drivers/usb/gadget/dwc2_udc_otg_xfer_dma.c
index f17009a29e0de0f9244b02d93112a2689af82603..1c34b753511d058f9e8ce8bc2e04df029bb7837a 100644 (file)
--- a/drivers/usb/gadget/dwc2_udc_otg_xfer_dma.c
+++ b/drivers/usb/gadget/dwc2_udc_otg_xfer_dma.c
@@ -890,7 +890,7 @@ static int dwc2_ep0_write(struct dwc2_udc *dev)
 static int dwc2_udc_get_status(struct dwc2_udc *dev,
                struct usb_ctrlrequest *crq)
 {
-       u8 ep_num = crq->wIndex & 0x7F;
+       u8 ep_num = crq->wIndex & 0x3;
        u16 g_status = 0;
        u32 ep_ctrl;
 
@@ -1418,7 +1418,7 @@ static void dwc2_ep0_setup(struct dwc2_udc *dev)
                        break;
 
                case USB_REQ_CLEAR_FEATURE:
-                       ep_num = usb_ctrl->wIndex & 0x7f;
+                       ep_num = usb_ctrl->wIndex & 0x3;
 
                        if (!dwc2_udc_clear_feature(&dev->ep[ep_num].ep))
                                return;
@@ -1426,7 +1426,7 @@ static void dwc2_ep0_setup(struct dwc2_udc *dev)
                        break;
 
                case USB_REQ_SET_FEATURE:
-                       ep_num = usb_ctrl->wIndex & 0x7f;
+                       ep_num = usb_ctrl->wIndex & 0x3;
 
                        if (!dwc2_udc_set_feature(&dev->ep[ep_num].ep))
                                return;