mfd: dln2: Add a limit check for invalid echo
authorOctavian Purdila <octavian.purdila@intel.com>
Tue, 18 Nov 2014 12:57:59 +0000 (14:57 +0200)
committerLee Jones <lee.jones@linaro.org>
Wed, 19 Nov 2014 17:12:50 +0000 (17:12 +0000)
The echo field in dln2_transfer_complete comes directly from an USB
transfer and we should not trust it is valid.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Octavian Purdila <octavian.purdila@intel.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
drivers/mfd/dln2.c

index cf22841c1e3c61781bce4b90a20afbd8ca49138a..df2fda9cd3db038082472f9cb293e7bf0960b72f 100644 (file)
@@ -195,6 +195,9 @@ static bool dln2_transfer_complete(struct dln2_dev *dln2, struct urb *urb,
        struct dln2_rx_context *rxc;
        bool valid_slot = false;
 
+       if (rx_slot >= DLN2_MAX_RX_SLOTS)
+               goto out;
+
        rxc = &rxs->slots[rx_slot];
 
        /*
@@ -210,6 +213,7 @@ static bool dln2_transfer_complete(struct dln2_dev *dln2, struct urb *urb,
        }
        spin_unlock(&rxs->lock);
 
+out:
        if (!valid_slot)
                dev_warn(dev, "bad/late response %d/%d\n", handle, rx_slot);