aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/usb/musb
diff options
context:
space:
mode:
authorKevin Hilman <khilman@deeprootsystems.com>2008-09-15 06:09:31 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2008-10-17 17:40:58 -0400
commit02582b92f60fa33b68b90263013e98550286db0a (patch)
tree4b3a786ed87664559093061d213ea4b09df84e42 /drivers/usb/musb
parentcede969fe21adece300300a455580635590deb47 (diff)
MUSB: Add sanity check for maximum number of endpoints
There is no check if platform code passes in more endpoints (num_eps) than the maximum number of enpoints (MUSB_C_NUM_EPS.) The result is that allocate_instance() happily writes past the end of 'struct musb' corrupting memory. This patch adds a BUG() if the platform code requests more than the max. Signed-off-by: Kevin Hilman <khilman@deeprootsystems.com> Acked-by: Felipe Balbi <felipe.balbi@nokia.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/usb/musb')
-rw-r--r--drivers/usb/musb/musb_core.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c
index 128e949db47c..bd82253a3329 100644
--- a/drivers/usb/musb/musb_core.c
+++ b/drivers/usb/musb/musb_core.c
@@ -1806,6 +1806,7 @@ allocate_instance(struct device *dev,
1806 musb->ctrl_base = mbase; 1806 musb->ctrl_base = mbase;
1807 musb->nIrq = -ENODEV; 1807 musb->nIrq = -ENODEV;
1808 musb->config = config; 1808 musb->config = config;
1809 BUG_ON(musb->config->num_eps > MUSB_C_NUM_EPS);
1809 for (epnum = 0, ep = musb->endpoints; 1810 for (epnum = 0, ep = musb->endpoints;
1810 epnum < musb->config->num_eps; 1811 epnum < musb->config->num_eps;
1811 epnum++, ep++) { 1812 epnum++, ep++) {