If the given `rate' is bigger than the last element of the array there's
an out-of-bound read and `divisor' will contain garbage.
Diff below fix this issue reported by coverity, CID 1453258.
Ok?
Index: umcs.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/umcs.c,v
retrieving revision 1.6
diff -u -p -r1.6 umcs.c
--- umcs.c 9 Oct 2017 08:26:16 -0000 1.6
+++ umcs.c 16 Mar 2020 18:56:28 -0000
@@ -451,16 +451,16 @@ umcs_calc_baudrate(uint32_t rate, uint16
return (-1);
for (i = 0; i < divisors_len - 1; i++) {
- if (rate > umcs_baudrate_divisors[i] &&
- rate <= umcs_baudrate_divisors[i + 1])
- break;
+ if (rate > umcs_baudrate_divisors[i] &&
+ rate <= umcs_baudrate_divisors[i + 1]) {
+ *divisor = umcs_baudrate_divisors[i + 1] / rate;
+ /* 0x00 .. 0x70 */
+ *clk = i << UMCS_SPx_CLK_SHIFT;
+ return (0);
+ }
}
- *divisor = umcs_baudrate_divisors[i + 1] / rate;
- /* 0x00 .. 0x70 */
- *clk = i << UMCS_SPx_CLK_SHIFT;
-
- return (0);
+ return (-1);
}
int
