diff options
author | Kevin Hilman <khilman@deeprootsystems.com> | 2008-09-15 06:09:31 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2008-10-17 17:40:58 -0400 |
commit | 02582b92f60fa33b68b90263013e98550286db0a (patch) | |
tree | 4b3a786ed87664559093061d213ea4b09df84e42 | |
parent | cede969fe21adece300300a455580635590deb47 (diff) |
MUSB: Add sanity check for maximum number of endpoints
There is no check if platform code passes in more endpoints (num_eps)
than the maximum number of enpoints (MUSB_C_NUM_EPS.) The result is
that allocate_instance() happily writes past the end of 'struct musb'
corrupting memory.
This patch adds a BUG() if the platform code requests more than the max.
Signed-off-by: Kevin Hilman <khilman@deeprootsystems.com>
Acked-by: Felipe Balbi <felipe.balbi@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/usb/musb/musb_core.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c index 128e949db47c..bd82253a3329 100644 --- a/drivers/usb/musb/musb_core.c +++ b/drivers/usb/musb/musb_core.c | |||
@@ -1806,6 +1806,7 @@ allocate_instance(struct device *dev, | |||
1806 | musb->ctrl_base = mbase; | 1806 | musb->ctrl_base = mbase; |
1807 | musb->nIrq = -ENODEV; | 1807 | musb->nIrq = -ENODEV; |
1808 | musb->config = config; | 1808 | musb->config = config; |
1809 | BUG_ON(musb->config->num_eps > MUSB_C_NUM_EPS); | ||
1809 | for (epnum = 0, ep = musb->endpoints; | 1810 | for (epnum = 0, ep = musb->endpoints; |
1810 | epnum < musb->config->num_eps; | 1811 | epnum < musb->config->num_eps; |
1811 | epnum++, ep++) { | 1812 | epnum++, ep++) { |