From 107c406baa7f31e3155262d31b330e9a4810a904 Mon Sep 17 00:00:00 2001
From: Tianhua Sun <tianhuax.s.sun@intel.com>
Date: Wed, 17 Jul 2019 16:39:48 +0800
Subject: [PATCH] dm: array bound checking to avoid buffer overflow

The array index of "epid" may be out of bounds if
"epid >= XHCI_MAX_ENDPOINTS", so bound check is
necessary before it is used.

Tracked-On: #3434
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
---
 devicemodel/hw/pci/xhci.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/devicemodel/hw/pci/xhci.c b/devicemodel/hw/pci/xhci.c
index 892442d6b..4245abaef 100644
--- a/devicemodel/hw/pci/xhci.c
+++ b/devicemodel/hw/pci/xhci.c
@@ -3718,6 +3718,8 @@ pci_xhci_dev_intr(struct usb_hci *hci, int epctx)
 
 	/* HW endpoint contexts are 0-15; convert to epid based on dir */
 	epid = (epid * 2) + (dir_in ? 1 : 0);
+	if (epid >= XHCI_MAX_ENDPOINTS)
+		return 0;
 
 	dev = hci->dev;
 	xdev = dev->xdev;