usb: musb: Fix memory corruption

rx_count, the number of bytes in the rx fifo, may be larger than the size of the transfer buffer. Make sure we don't overflow the transfer buffer in that case. Bug: 6497399 Change-Id: I5bcf6dd543f9da4ee22944aa6c41673f2cca4c1f Signed-off-by: Benoit Goby <benoit@android.com>
author: Benoit Goby <benoit@android.com> 2012-05-18 22:05:55 -0700
committer: Benoit Goby <benoit@android.com> 2012-05-21 18:20:01 -0700
commit: d834ff148c7663c9533fe8bd71ae792d06a702da (patch)
tree: f50e3280f0cb67324e9f83733983b3803614dfc9
parent: 786e99b07638816489c24cd8ac482d15a22d3fb0 (diff)
download: kernel_samsung_tuna-d834ff148c7663c9533fe8bd71ae792d06a702da.zip
kernel_samsung_tuna-d834ff148c7663c9533fe8bd71ae792d06a702da.tar.gz
kernel_samsung_tuna-d834ff148c7663c9533fe8bd71ae792d06a702da.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/usb/musb/musb_host.c b/drivers/usb/musb/musb_host.c
index 8b2473f..bbac21d 100644
--- a/drivers/usb/musb/musb_host.c
+++ b/drivers/usb/musb/musb_host.c
@@ -1663,7 +1663,7 @@ void musb_host_rx(struct musb *musb, u8 epnum)
 				d->status = d_status;
 				buf = urb->transfer_dma + d->offset;
 			} else {
-				length = rx_count;
+				length = min(rx_count, urb->transfer_buffer_length);
 				buf = urb->transfer_dma +
 						urb->actual_length;
 			}
author	Benoit Goby <benoit@android.com>	2012-05-18 22:05:55 -0700
committer	Benoit Goby <benoit@android.com>	2012-05-21 18:20:01 -0700
commit	d834ff148c7663c9533fe8bd71ae792d06a702da (patch)
tree	f50e3280f0cb67324e9f83733983b3803614dfc9
parent	786e99b07638816489c24cd8ac482d15a22d3fb0 (diff)
download	kernel_samsung_tuna-d834ff148c7663c9533fe8bd71ae792d06a702da.zip kernel_samsung_tuna-d834ff148c7663c9533fe8bd71ae792d06a702da.tar.gz kernel_samsung_tuna-d834ff148c7663c9533fe8bd71ae792d06a702da.tar.bz2