From: Kery Qi <qikeyu2017@gmail.com>
To: gregkh@linuxfoundation.org
Cc: linux-kernel@vger.kernel.org, Kery Qi <qikeyu2017@gmail.com>
Subject: [PATCH] USB: gadget: max3420: validate endpoint index for max3420 udc
Date: Mon, 5 Jan 2026 16:02:43 +0800 [thread overview]
Message-ID: <20260105080241.1261-3-qikeyu2017@gmail.com> (raw)
Assure that the host may not manipulate the index to point past the
endpoint array.
In max3420_getstatus(), the driver uses the wIndex value from the
setup packet to obtain the endpoint index. However, there is no
check to ensure this index is within the valid bounds of the
udc->ep[] array.
A malicious host could send a USB_REQ_GET_STATUS request with a
large endpoint index, leading to an out-of-bounds memory access.
This patch adds a validation check against MAX3420_MAX_EPS. If the
endpoint index is invalid, the request is stalled.
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
---
drivers/usb/gadget/udc/max3420_udc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/udc/max3420_udc.c b/drivers/usb/gadget/udc/max3420_udc.c
index 7349ea774adf..ac11ddf3fcbc 100644
--- a/drivers/usb/gadget/udc/max3420_udc.c
+++ b/drivers/usb/gadget/udc/max3420_udc.c
@@ -548,7 +548,11 @@ static void max3420_getstatus(struct max3420_udc *udc)
goto stall;
break;
case USB_RECIP_ENDPOINT:
- ep = &udc->ep[udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK];
+ u8 epnum = udc->setup.wIndex & USB_ENDPOINT_NUMBER_MASK;
+
+ if (epnum >= MAX3420_MAX_EPS)
+ goto stall;
+ ep = &udc->ep[epnum];
if (udc->setup.wIndex & USB_DIR_IN) {
if (!ep->ep_usb.caps.dir_in)
goto stall;
--
2.34.1
next reply other threads:[~2026-01-05 8:05 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-05 8:02 Kery Qi [this message]
2026-01-16 15:27 ` [PATCH] USB: gadget: max3420: validate endpoint index for max3420 udc Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260105080241.1261-3-qikeyu2017@gmail.com \
--to=qikeyu2017@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox