From 7af98ce6bbb1d7947da43afe0f50f35ba2397044 Mon Sep 17 00:00:00 2001 From: Aidan MacDonald Date: Tue, 9 Nov 2021 14:12:13 +0000 Subject: [PATCH] usb: Fix possible SET ADDRESS data corruption The address from the packet needs to be saved before sending the response -- after the response the request being pointed to could get overwritten. This used to be done correctly but I unintentionally broke it when updating the handler to the new control request API. Change-Id: I9b11548baf20dce44a82301731405dc8e8f1cef3 --- firmware/usbstack/usb_core.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/firmware/usbstack/usb_core.c b/firmware/usbstack/usb_core.c index 5de892196d..738b92ed4d 100644 --- a/firmware/usbstack/usb_core.c +++ b/firmware/usbstack/usb_core.c @@ -729,6 +729,8 @@ static void usb_core_do_clear_feature(int recip, int recip_nr, int feature) static void request_handler_device(struct usb_ctrlrequest* req, void* reqdata) { + unsigned address; + switch(req->bRequest) { case USB_REQ_GET_CONFIGURATION: logf("usb_core: GET_CONFIG"); @@ -744,10 +746,11 @@ static void request_handler_device(struct usb_ctrlrequest* req, void* reqdata) /* NOTE: We really have no business handling this and drivers * should just handle it themselves. We don't care beyond * knowing if we've been assigned an address yet, or not. */ + address = req->wValue; usb_drv_control_response(USB_CONTROL_ACK, NULL, 0); usb_drv_cancel_all_transfers(); - usb_drv_set_address(req->wValue); - usb_core_do_set_addr(req->wValue); + usb_drv_set_address(address); + usb_core_do_set_addr(address); break; case USB_REQ_GET_DESCRIPTOR: logf("usb_core: GET_DESC %d", req->wValue >> 8);