From: Mauro Matteo Cascella <mcasc...@redhat.com>
This prevents an OOB read (followed by an assertion failure in
xhci_kick_ep) when slotid > xhci->numslots.
Reported-by: Soul Chen <soulchen8...@gmail.com>
Signed-off-by: Mauro Matteo Cascella <mcasc...@redhat.com>
Message-Id: <20220705174734.2348829-1-mcasc...@redhat.com>
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
---
hw/usb/hcd-xhci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 0cd0a5e54027..296cc6c8e694 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -3269,7 +3269,8 @@ static void xhci_wakeup_endpoint(USBBus *bus, USBEndpoint
*ep,
DPRINTF("%s\n", __func__);
slotid = ep->dev->addr;
- if (slotid == 0 || !xhci->slots[slotid-1].enabled) {
+ if (slotid == 0 || slotid > xhci->numslots ||
+ !xhci->slots[slotid - 1].enabled) {
DPRINTF("%s: oops, no slot for dev %d\n", __func__, ep->dev->addr);
return;
}
--
2.36.1
