On Tue, Nov 02, 2021 at 03:44:46PM +0800, Haimin Zhang wrote: > There isn't enough check parameter `wIndex` in the function > `ehci_brcm_hub_control`;due to the size of array `port_status` > is 15, so it may lead to out of bounds. > > Signed-off-by: Haimin Zhang <tcs_kernel@xxxxxxxxxxx> > Reported-by: TCS Robot <tcs_robot@xxxxxxxxxxx> > --- > drivers/usb/host/ehci-brcm.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/host/ehci-brcm.c b/drivers/usb/host/ehci-brcm.c > index d3626bfa966b..4ca3eb9fcda9 100644 > --- a/drivers/usb/host/ehci-brcm.c > +++ b/drivers/usb/host/ehci-brcm.c > @@ -63,7 +63,8 @@ static int ehci_brcm_hub_control( > unsigned long flags; > int retval, irq_disabled = 0; > > - status_reg = &ehci->regs->port_status[(wIndex & 0xff) - 1]; > + if (wIndex && wIndex <= ports) > + status_reg = &ehci->regs->port_status[(wIndex & 0xff) - 1]; This isn't quite right because it won't work properly if the upper byte of wIndex is nonzero. You should do something like: u32 temp; temp = (wIndex & 0xff) - 1; if (temp < ports) status_reg = &ehci->regs->port_status[temp]; Alan Stern
