Browse Source

USB: fix user buffer overwrite

spark_strober
King Kévin 4 years ago
parent
commit
76994571b5
  1. 8
      lib/usb_cdcacm.c

8
lib/usb_cdcacm.c

@ -395,10 +395,14 @@ static void usb_cdcacm_data_tx_cb(usbd_device *usbd_dev, uint8_t ep) @@ -395,10 +395,14 @@ static void usb_cdcacm_data_tx_cb(usbd_device *usbd_dev, uint8_t ep)
return;
}
if (!tx_lock) {
usb_tx_ongoing = true; // remember we started transmission
usb_tx_ongoing = true; // remember we started transmission
uint16_t usb_length = (tx_used > USB_DATA_TRANSFER_SIZE ? USB_DATA_TRANSFER_SIZE : tx_used); // length of data to be transmitted (respect max packet size)
usb_length = (usb_length > (LENGTH(tx_buffer)-tx_i) ? LENGTH(tx_buffer)-tx_i : usb_length); // since here we use the source array not as ring buffer, only go up to the end
while (usb_length != usbd_ep_write_packet(usb_device, usb_cdcacm_data_endpoints[1].bEndpointAddress, (void*)(&tx_buffer[tx_i]), usb_length)); // ensure data is written into transmit buffer
uint8_t usb_data[USB_DATA_TRANSFER_SIZE]; // buffer to transmit data
for (uint16_t i=0; i<usb_length && i<USB_DATA_TRANSFER_SIZE; i++) { // copy data to be transferred so it can not be tempered with
usb_data[i] = tx_buffer[tx_i+i];
}
while (usb_length != usbd_ep_write_packet(usb_device, usb_cdcacm_data_endpoints[1].bEndpointAddress, (void*)(usb_data), usb_length)); // ensure data is written into transmit buffer
tx_i = (tx_i+usb_length)%LENGTH(tx_buffer); // update location on buffer
tx_used -= usb_length; // update used size
} else {

Loading…
Cancel
Save