Re: [PATCH] usb: gadget: bdc: validate status-report endpoint indices

Next message: Dmitry Baryshkov: "Re: [PATCH] clk: qcom: rcg2: expand frac table for mdss_pixel_clk_src"
Previous message: Radu Rendec: "Re: [patch v2 05/14] genirq: Expose nr_irqs in core code"
In reply to: Pengpeng Hou: "[PATCH] usb: gadget: bdc: validate status-report endpoint indices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Florian Fainelli

Date: Mon Mar 23 2026 - 15:49:16 EST

On 3/23/26 05:17, Pengpeng Hou wrote:

bdc_sr_xsf() decodes a 5-bit endpoint number from the hardware status
report and uses it to index bdc->bdc_ep_array[] directly. The array is
only allocated to bdc->num_eps for the current controller instance, so a
status report can carry an endpoint number that still fits the 5-bit
field but does not fit the runtime-sized endpoint table.

Reject status reports whose endpoint number is outside bdc->num_eps
before indexing the endpoint array.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>

Reviewed-by: Florian Fainelli <florian.fainelli@xxxxxxxxxxxx>
--
Florian