From 982b051cbc003b69d46e0ba5b00ca888fbb45512 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Mon, 1 Jun 2015 13:47:34 +0100 Subject: [PATCH] [xhci] Fix length of allocated slot array The xHCI slot ID is one-based, not zero-based. Fix the length of the xhci->slot[] array to account for this, and add assertions to check that the hardware returns a valid slot ID in response to the Enable Slot command. Signed-off-by: Michael Brown --- src/drivers/usb/xhci.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/drivers/usb/xhci.c b/src/drivers/usb/xhci.c index a46a7934..4b143369 100644 --- a/src/drivers/usb/xhci.c +++ b/src/drivers/usb/xhci.c @@ -2622,6 +2622,7 @@ static int xhci_device_open ( struct usb_device *usb ) { rc = id; goto err_enable_slot; } + assert ( ( id > 0 ) && ( id <= xhci->slots ) ); assert ( xhci->slot[id] == NULL ); /* Allocate and initialise structure */ @@ -2761,7 +2762,7 @@ static int xhci_bus_open ( struct usb_bus *bus ) { int rc; /* Allocate device slot array */ - xhci->slot = zalloc ( xhci->slots * sizeof ( xhci->slot[0] ) ); + xhci->slot = zalloc ( ( xhci->slots + 1 ) * sizeof ( xhci->slot[0] ) ); if ( ! xhci->slot ) { rc = -ENOMEM; goto err_slot_alloc; @@ -2813,7 +2814,7 @@ static void xhci_bus_close ( struct usb_bus *bus ) { /* Sanity checks */ assert ( xhci->slot != NULL ); - for ( i = 0 ; i < xhci->slots ; i++ ) + for ( i = 0 ; i <= xhci->slots ; i++ ) assert ( xhci->slot[i] == NULL ); xhci_stop ( xhci );