From david-b@pacbell.net Sun Dec  9 22:53:23 2007
From: David Brownell <david-b@pacbell.net>
Date: Sun, 9 Dec 2007 22:53:09 -0800
Subject: USB: gadget: at91_udc minor fix (there is no number six)
To: Greg KH <greg@kroah.com>
Cc: "Yannick Cote" <yanick@yanos.org>, USB list <linux-usb@vger.kernel.org>
Message-ID: <200712092253.09786.david-b@pacbell.net>
Content-Disposition: inline


Fix a small glitch noted by Yannick Cote.  There is no endpoint number
six, so if a (broken) host wrongly tried to change or read status of
that endpoint, the driver could access reserved register space.

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Cc: Yannick Cote <yanick@yanos.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 drivers/usb/gadget/at91_udc.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/usb/gadget/at91_udc.c
+++ b/drivers/usb/gadget/at91_udc.c
@@ -1153,7 +1153,7 @@ static void handle_setup(struct at91_udc
 			| USB_REQ_GET_STATUS:
 		tmp = w_index & USB_ENDPOINT_NUMBER_MASK;
 		ep = &udc->ep[tmp];
-		if (tmp > NUM_ENDPOINTS || (tmp && !ep->desc))
+		if (tmp >= NUM_ENDPOINTS || (tmp && !ep->desc))
 			goto stall;
 
 		if (tmp) {
@@ -1176,7 +1176,7 @@ static void handle_setup(struct at91_udc
 			| USB_REQ_SET_FEATURE:
 		tmp = w_index & USB_ENDPOINT_NUMBER_MASK;
 		ep = &udc->ep[tmp];
-		if (w_value != USB_ENDPOINT_HALT || tmp > NUM_ENDPOINTS)
+		if (w_value != USB_ENDPOINT_HALT || tmp >= NUM_ENDPOINTS)
 			goto stall;
 		if (!ep->desc || ep->is_iso)
 			goto stall;
@@ -1195,7 +1195,7 @@ static void handle_setup(struct at91_udc
 			| USB_REQ_CLEAR_FEATURE:
 		tmp = w_index & USB_ENDPOINT_NUMBER_MASK;
 		ep = &udc->ep[tmp];
-		if (w_value != USB_ENDPOINT_HALT || tmp > NUM_ENDPOINTS)
+		if (w_value != USB_ENDPOINT_HALT || tmp >= NUM_ENDPOINTS)
 			goto stall;
 		if (tmp == 0)
 			goto succeed;