dm: array bound checking to avoid buffer overflow

tianhuas · acrnsi · commit 107c406baa7f · 2019-07-30T16:36:13.000+08:00
The array index of "epid" may be out of bounds if "epid >= XHCI_MAX_ENDPOINTS", so bound check is necessary before it is used. Tracked-On: #3434 Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com> Reviewed-by: Yonghua Huang <yonghua.huang@intel.com> Reviewed-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
diff --git a/devicemodel/hw/pci/xhci.c b/devicemodel/hw/pci/xhci.c
@@ -3718,6 +3718,8 @@ pci_xhci_dev_intr(struct usb_hci *hci, int epctx)
 
 	/* HW endpoint contexts are 0-15; convert to epid based on dir */
 	epid = (epid * 2) + (dir_in ? 1 : 0);
+	if (epid >= XHCI_MAX_ENDPOINTS)
+		return 0;
 
 	dev = hci->dev;
 	xdev = dev->xdev;
