> Date: Mon, 16 Mar 2020 20:51:54 +0100
> From: Martin Pieuchot <[email protected]>
>
> If the given `rate' is bigger than the last element of the array there's
> an out-of-bound read and `divisor' will contain garbage.
>
> Diff below fix this issue reported by coverity, CID 1453258.
>
> Ok?
ok kettenis@
> Index: umcs.c
> ===================================================================
> RCS file: /cvs/src/sys/dev/usb/umcs.c,v
> retrieving revision 1.6
> diff -u -p -r1.6 umcs.c
> --- umcs.c 9 Oct 2017 08:26:16 -0000 1.6
> +++ umcs.c 16 Mar 2020 18:56:28 -0000
> @@ -451,16 +451,16 @@ umcs_calc_baudrate(uint32_t rate, uint16
> return (-1);
>
> for (i = 0; i < divisors_len - 1; i++) {
> - if (rate > umcs_baudrate_divisors[i] &&
> - rate <= umcs_baudrate_divisors[i + 1])
> - break;
> + if (rate > umcs_baudrate_divisors[i] &&
> + rate <= umcs_baudrate_divisors[i + 1]) {
> + *divisor = umcs_baudrate_divisors[i + 1] / rate;
> + /* 0x00 .. 0x70 */
> + *clk = i << UMCS_SPx_CLK_SHIFT;
> + return (0);
> + }
> }
>
> - *divisor = umcs_baudrate_divisors[i + 1] / rate;
> - /* 0x00 .. 0x70 */
> - *clk = i << UMCS_SPx_CLK_SHIFT;
> -
> - return (0);
> + return (-1);
> }
>
> int
>
>
