From ebde2ea3082040e4a8e43c7354942ee90e61eb2d Mon Sep 17 00:00:00 2001 From: Bertrik Sikken Date: Sat, 26 Nov 2011 23:55:49 +0000 Subject: [PATCH] Sansa AMSv2: potential USB fix from FS#11664 by funman: * make sure that the buffer for struct usb_ctrlrequest can fit a full 64-byte packet * align struct usb_ctrlrequest to a cacheline (32-byte alignment) git-svn-id: svn://svn.rockbox.org/rockbox/trunk@31063 a1c6a512-1295-4272-9138-f99709370657 --- firmware/target/arm/as3525/usb-drv-as3525v2.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/firmware/target/arm/as3525/usb-drv-as3525v2.c b/firmware/target/arm/as3525/usb-drv-as3525v2.c index 35b50d21cf..3d4f1579c5 100644 --- a/firmware/target/arm/as3525/usb-drv-as3525v2.c +++ b/firmware/target/arm/as3525/usb-drv-as3525v2.c @@ -87,8 +87,23 @@ enum ep0state /* endpoints[ep_num][DIR_IN/DIR_OUT] */ static struct usb_endpoint endpoints[USB_NUM_ENDPOINTS][2]; /* setup packet for EP0 */ -static struct usb_ctrlrequest _ep0_setup_pkt __attribute__((aligned(32))); -static struct usb_ctrlrequest *ep0_setup_pkt = AS3525_UNCACHED_ADDR(&_ep0_setup_pkt); + +/* USB control requests may be up to 64 bytes in size. + Even though we never use anything more than the 8 header bytes, + we are required to accept request packets of up to 64 bytes size. + Provide buffer space for these additional payload bytes so that + e.g. write descriptor requests (which are rejected by us, but the + payload is transferred anyway) do not cause memory corruption. + Fixes FS#12310. -- Michael Sparmann (theseven) */ +static struct +{ + union { + struct usb_ctrlrequest header; /* 8 bytes */ + unsigned char payload[64]; + }; +} _ep0_setup_pkt USB_DEVBSS_ATTR __attribute__((aligned(32))); + +static struct usb_ctrlrequest *ep0_setup_pkt = AS3525_UNCACHED_ADDR(&_ep0_setup_pkt.header); /* state of EP0 */ static enum ep0state ep0_state;