USB: dwc3: debugfs: Add boundary check in dwc3_store_ep_num() · 4a09bafb4c - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

USB: dwc3: debugfs: Add boundary check in dwc3_store_ep_num()

User can pass arguments as part of write to requests and endpoint number
will be calculated based on the arguments. There is a chance that driver
can access ep structue that is not allocated due to invalid arguments
passed by user. Hence fix the issue by having check and return error in
case of invalid arguments.

Change-Id: I060ea878b55ce0f9983b91c50e58718c8a2c2fa1
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>

This commit is contained in:

Vijayavardhan Vennapusa

2016-05-05 14:37:08 +05:30

• committed by

Kyle Yan

parent 3cc4528523

commit 4a09bafb4c

1 changed files with 10 additions and 2 deletions

									
										12

drivers/usb/dwc3/debugfs.c
									
										View file
										
				@ -630,7 +630,7 @@ static ssize_t dwc3_store_ep_num(struct file *file, const char __user *ubuf,

					struct seq_file		*s = file->private_data;

					struct dwc3		*dwc = s->private;

					char			kbuf[10];

					unsigned int		num, dir;

					unsigned int		num, dir, temp;

					unsigned long		flags;

					memset(kbuf, 0, 10);

				@ -641,8 +641,16 @@ static ssize_t dwc3_store_ep_num(struct file *file, const char __user *ubuf,

					if (sscanf(kbuf, "%u %u", &num, &dir) != 2)

						return -EINVAL;

					if (dir != 0 && dir != 1)

						return -EINVAL;

					temp = (num << 1) + dir;

					if (temp >= (dwc->num_in_eps + dwc->num_out_eps) ||

									temp >= DWC3_ENDPOINTS_NUM)

						return -EINVAL;

					spin_lock_irqsave(&dwc->lock, flags);

					ep_num = (num << 1) + dir;

					ep_num = temp;

					spin_unlock_irqrestore(&dwc->lock, flags);

					return count;