From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stephen Warren <swarren@wwwdotorg.org>
Date: Tue, 15 Dec 2015 19:58:48 -0700
Subject: [U-Boot] [PATCH 1/6] usb: dwc2: avoid out of bounds access
In-Reply-To: <1449980278-19881-2-git-send-email-stefan.bruens@rwth-aachen.de>
References: <1449980278-19881-1-git-send-email-stefan.bruens@rwth-aachen.de>
 <1449980278-19881-2-git-send-email-stefan.bruens@rwth-aachen.de>
Message-ID: <5670D368.6090703@wwwdotorg.org>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

On 12/12/2015 09:17 PM, Stefan Br?ns wrote:
> flush_dcache_range may access data after priv->aligned_buffer end if
> len > DWC2_DATA_BUF_SIZE.
> memcpy may access data after buffer end if done > 0

Acked-by: Stephen Warren <swarren@wwwdotorg.org>

Uggh; icky bug:-(

> @@ -823,12 +823,13 @@ int chunk_msg(struct dwc2_priv *priv, struct usb_device *dev,
>  		       (*pid << DWC2_HCTSIZ_PID_OFFSET),
>  		       &hc_regs->hctsiz);
>  
> -		if (!in) {
> -			memcpy(priv->aligned_buffer, (char *)buffer + done, len);
> +		if (!in && xfer_len) {

Do zero-length memcpy or flush_dcache_range actually cause an issue?