usb: musb-new: Limit check array index before use

epnum is used as an index into an array. The limit check for this index
should be performed before using it to access an element in the array to
prevent possible bounds overrun.

This issue was found by Smatch.

Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@kernel.org>

diff --git a/drivers/usb/musb-new/musb_gadget_ep0.c b/drivers/usb/musb-new/musb_gadget_ep0.c
index ea65326..25b1de6 100644 (file)
--- a/drivers/usb/musb-new/musb_gadget_ep0.c
+++ b/drivers/usb/musb-new/musb_gadget_ep0.c
@@ -96,6 +96,9 @@ static int service_tx_status_request(
                if (!epnum) {
                        result[0] = 0;
                        break;
+               } else if (epnum >= MUSB_C_NUM_EPS) {
+                       handled = -EINVAL;
+                       break;
                }
 
                is_in = epnum & USB_DIR_IN;
@@ -107,7 +110,7 @@ static int service_tx_status_request(
                }
                regs = musb->endpoints[epnum].regs;
 
-               if (epnum >= MUSB_C_NUM_EPS || !ep->desc) {
+               if (!ep->desc) {
                        handled = -EINVAL;
                        break;
                }