From 53b749fd72e9e4573c80f0bc4083c5cf9e82177c Mon Sep 17 00:00:00 2001
From: hathach <thach@tinyusb.org>
Date: Thu, 28 May 2020 14:44:26 +0700
Subject: [PATCH] check max_len for vendor and hid

---
 src/class/hid/hid_device.c       | 7 ++++---
 src/class/vendor/vendor_device.c | 5 ++++-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/class/hid/hid_device.c b/src/class/hid/hid_device.c
index 64a57e90e..2a20bc173 100644
--- a/src/class/hid/hid_device.c
+++ b/src/class/hid/hid_device.c
@@ -162,8 +162,9 @@ uint16_t hidd_open(uint8_t rhport, tusb_desc_interface_t const * desc_itf, uint1
 {
   TU_VERIFY(TUSB_CLASS_HID == desc_itf->bInterfaceClass, 0);
 
-  // max length is at least interface + hid descriptor + 1 endpoint
-  TU_ASSERT(max_len >= sizeof(tusb_desc_interface_t) + sizeof(tusb_hid_descriptor_hid_t) + sizeof(tusb_desc_endpoint_t), 0);
+  // len = interface + hid + n*endpoints
+  uint16_t const drv_len = sizeof(tusb_desc_interface_t) + sizeof(tusb_hid_descriptor_hid_t) + desc_itf->bNumEndpoints*sizeof(tusb_desc_endpoint_t);
+  TU_ASSERT(max_len >= drv_len, 0);
 
   // Find available interface
   hidd_interface_t * p_hid = NULL;
@@ -205,7 +206,7 @@ uint16_t hidd_open(uint8_t rhport, tusb_desc_interface_t const * desc_itf, uint1
     }
   }
 
-  return sizeof(tusb_desc_interface_t) + sizeof(tusb_hid_descriptor_hid_t) + desc_itf->bNumEndpoints*sizeof(tusb_desc_endpoint_t);
+  return drv_len;
 }
 
 // Handle class control request
diff --git a/src/class/vendor/vendor_device.c b/src/class/vendor/vendor_device.c
index 8f2dfef32..3fcea89c4 100644
--- a/src/class/vendor/vendor_device.c
+++ b/src/class/vendor/vendor_device.c
@@ -170,6 +170,9 @@ uint16_t vendord_open(uint8_t rhport, tusb_desc_interface_t const * itf_desc, ui
 {
   TU_VERIFY(TUSB_CLASS_VENDOR_SPECIFIC == itf_desc->bInterfaceClass, 0);
 
+  uint16_t const drv_len = sizeof(tusb_desc_interface_t) + itf_desc->bNumEndpoints*sizeof(tusb_desc_endpoint_t);
+  TU_VERIFY(max_len >= drv_len, 0);
+
   // Find available interface
   vendord_interface_t* p_vendor = NULL;
   for(uint8_t i=0; i<CFG_TUD_VENDOR; i++)
@@ -194,7 +197,7 @@ uint16_t vendord_open(uint8_t rhport, tusb_desc_interface_t const * itf_desc, ui
     TU_BREAKPOINT();
   }
 
-  return sizeof(tusb_desc_interface_t) + itf_desc->bNumEndpoints*sizeof(tusb_desc_endpoint_t);
+  return drv_len;
 }
 
 bool vendord_xfer_cb(uint8_t rhport, uint8_t ep_addr, xfer_result_t result, uint32_t xferred_bytes)