Some proprietary protocols uses "w_index" field not by the rules.
When we set "intf = w_index & 0xFF" variable without check it may
exceed maximum number of interfaces. Not all code cases below check
the range of this variable. In some protocols it is usefull to
guaranty that "intf" not exceed MAX_CONFIG_INTERFACES.
Fixes: 7010f5b94fa3 ("usb:gadget:composite USB composite gadget support")
Signed-off-by: Vladimir Mitrofanov <vvmitrofa...@salutedevices.com>
---
drivers/usb/gadget/composite.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index 04b8541993..4bb2afa833 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -1011,7 +1011,7 @@ composite_setup(struct usb_gadget *gadget, const struct
usb_ctrlrequest *ctrl)
u16 w_index = le16_to_cpu(ctrl->wIndex);
u16 w_value = le16_to_cpu(ctrl->wValue);
struct usb_composite_dev *cdev = get_gadget_data(gadget);
- u8 intf = w_index & 0xFF;
+ u8 intf = min_t(u8, w_index & 0xFF,
MAX_CONFIG_INTERFACES - 1);
int value = -EOPNOTSUPP;
struct usb_request *req = cdev->req;
struct usb_function *f = NULL;
--
2.43.0
