Re: [PATCH] usb: gadget: bdc: validate status-report endpoint indices

[Justin Chen]

On 3/23/26 12:20 PM, Florian Fainelli wrote:
> On 3/23/26 05:17, Pengpeng Hou wrote:
> > bdc_sr_xsf() decodes a 5-bit endpoint number from the hardware status
> > report and uses it to index bdc->bdc_ep_array[] directly. The array is
> > only allocated to bdc->num_eps for the current controller instance, so a
> > status report can carry an endpoint number that still fits the 5-bit
> > field but does not fit the runtime-sized endpoint table.
> >
> > Reject status reports whose endpoint number is outside bdc->num_eps
> > before indexing the endpoint array.
> >
> > Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
>
> Reviewed-by: Florian Fainelli <florian.fainelli@xxxxxxxxxxxx>

Tested-by: Justin Chen <justin.chen@xxxxxxxxxxxx>