From a2001ac1ccf4d4919c8243fbc69aff0b68973d3f Mon Sep 17 00:00:00 2001 From: Dean Camera Date: Tue, 11 Aug 2009 08:36:25 +0000 Subject: [PATCH] Fixed swapped paremeters in the HID state memory copy call while processing a HID PUSH item in the HID report parser. Fixed memory corruption HID report parser when too many COLLECTION or PUSH items were processed. Make RNDIS device class driver include the CDC device class driver header, so that it can inherrit the required CDC functional descriptor macro. Make HID host class driver include the HID report parser. --- Demos/Device/ClassDriver/Mouse/Descriptors.h | 4 +- .../ClassDriver/RNDISEthernet/Descriptors.h | 18 +---- Demos/Host/ClassDriver/CDCHost/CDCHost.h | 3 +- Demos/Host/ClassDriver/MouseHost/MouseHost.c | 2 +- Demos/Host/makefile | 2 +- LUFA/Drivers/USB/Class/Common/RNDIS.h | 1 + LUFA/Drivers/USB/Class/Host/HID.c | 14 +++- LUFA/Drivers/USB/Class/Host/HID.h | 5 +- LUFA/Drivers/USB/Class/Host/HIDParser.c | 75 ++++++++----------- LUFA/ManPages/ChangeLog.txt | 2 + LUFA/ManPages/LUFAPoweredProjects.txt | 1 + 11 files changed, 58 insertions(+), 69 deletions(-) diff --git a/Demos/Device/ClassDriver/Mouse/Descriptors.h b/Demos/Device/ClassDriver/Mouse/Descriptors.h index 0c34342601..8b8158ba84 100644 --- a/Demos/Device/ClassDriver/Mouse/Descriptors.h +++ b/Demos/Device/ClassDriver/Mouse/Descriptors.h @@ -37,11 +37,11 @@ #define _DESCRIPTORS_H_ /* Includes: */ - #include - #include #include + #include + /* Type Defines: */ /** Type define for the device configuration descriptor structure. This must be defined in the * application code, as the configuration descriptor contains several sub-descriptors which diff --git a/Demos/Device/ClassDriver/RNDISEthernet/Descriptors.h b/Demos/Device/ClassDriver/RNDISEthernet/Descriptors.h index 28b801f1ac..961a4f461d 100644 --- a/Demos/Device/ClassDriver/RNDISEthernet/Descriptors.h +++ b/Demos/Device/ClassDriver/RNDISEthernet/Descriptors.h @@ -38,25 +38,11 @@ /* Includes: */ #include - + #include + #include /* Macros: */ - /** Macro to define a CDC class-specific functional descriptor. CDC functional descriptors have a - * uniform structure but variable sized data payloads, thus cannot be represented accurately by - * a single typedef struct. A macro is used instead so that functional descriptors can be created - * easily by specifying the size of the payload. This allows sizeof() to work correctly. - * - * \param[in] DataSize Size in bytes of the CDC functional descriptor's data payload - */ - #define CDC_FUNCTIONAL_DESCRIPTOR(DataSize) \ - struct \ - { \ - USB_Descriptor_Header_t Header; \ - uint8_t SubType; \ - uint8_t Data[DataSize]; \ - } - /** Endpoint number of the CDC device-to-host notification IN endpoint. */ #define CDC_NOTIFICATION_EPNUM 3 diff --git a/Demos/Host/ClassDriver/CDCHost/CDCHost.h b/Demos/Host/ClassDriver/CDCHost/CDCHost.h index 87a0bbcac2..ab31a57930 100644 --- a/Demos/Host/ClassDriver/CDCHost/CDCHost.h +++ b/Demos/Host/ClassDriver/CDCHost/CDCHost.h @@ -47,8 +47,7 @@ #include #include #include - #include - #include + #include \ /* Macros: */ /** LED mask for the library LED driver, to indicate that the USB interface is not ready. */ diff --git a/Demos/Host/ClassDriver/MouseHost/MouseHost.c b/Demos/Host/ClassDriver/MouseHost/MouseHost.c index 65fb4893ad..cf2997bcd2 100644 --- a/Demos/Host/ClassDriver/MouseHost/MouseHost.c +++ b/Demos/Host/ClassDriver/MouseHost/MouseHost.c @@ -105,7 +105,7 @@ int main(void) USB_HostState = HOST_STATE_Configured; break; case HOST_STATE_Configured: - if (HID_Host_ReportReceived(&Mouse_HID_Interface)) + if (HID_Host_IsReportReceived(&Mouse_HID_Interface)) { } diff --git a/Demos/Host/makefile b/Demos/Host/makefile index 2531413306..937c8fac85 100644 --- a/Demos/Host/makefile +++ b/Demos/Host/makefile @@ -14,5 +14,5 @@ # code. %: -# make -C ClassDriver/ $@ + make -C ClassDriver/ $@ make -C LowLevel/ $@ diff --git a/LUFA/Drivers/USB/Class/Common/RNDIS.h b/LUFA/Drivers/USB/Class/Common/RNDIS.h index 5c875b7de6..88ee04f470 100644 --- a/LUFA/Drivers/USB/Class/Common/RNDIS.h +++ b/LUFA/Drivers/USB/Class/Common/RNDIS.h @@ -37,6 +37,7 @@ /* Includes: */ #include "../../USB.h" + #include "CDC.h" #include diff --git a/LUFA/Drivers/USB/Class/Host/HID.c b/LUFA/Drivers/USB/Class/Host/HID.c index 3a4faffbdd..a42f8afa34 100644 --- a/LUFA/Drivers/USB/Class/Host/HID.c +++ b/LUFA/Drivers/USB/Class/Host/HID.c @@ -127,11 +127,21 @@ void HID_Host_USBTask(USB_ClassInfo_HID_Host_t* HIDInterfaceInfo) } -void HID_Host_IsReportReceived(USB_ClassInfo_HID_Host_t* HIDInterfaceInfo) +bool HID_Host_IsReportReceived(USB_ClassInfo_HID_Host_t* HIDInterfaceInfo) { + bool ReportReceived; + + if ((USB_HostState != HOST_STATE_Configured) || !(HIDInterfaceInfo->State.Active)) + return false; + Pipe_SelectPipe(HIDInterfaceInfo->Config.DataINPipeNumber); + Pipe_Unfreeze(); + + ReportReceived = Pipe_IsReadWriteAllowed(); + + Pipe_Freeze(); - return Pipe_IsReadWriteAllowed(); + return ReportReceived; } #endif diff --git a/LUFA/Drivers/USB/Class/Host/HID.h b/LUFA/Drivers/USB/Class/Host/HID.h index 0386881d25..e67103a693 100644 --- a/LUFA/Drivers/USB/Class/Host/HID.h +++ b/LUFA/Drivers/USB/Class/Host/HID.h @@ -47,6 +47,7 @@ /* Includes: */ #include "../../USB.h" #include "../Common/HID.h" + #include "HIDParser.h" /* Enable C linkage for C++ Compilers: */ #if defined(__cplusplus) @@ -95,14 +96,14 @@ HID_ENUMERROR_InvalidConfigDescriptor = 1, /**< The device returned an invalid Configuration Descriptor */ HID_ENUMERROR_NoHIDInterfaceFound = 2, /**< A compatible HID interface was not found in the device's Configuration Descriptor */ HID_ENUMERROR_EndpointsNotFound = 3, /**< Compatible HID endpoints were not found in the device's CDC interface */ - } CDCHost_EnumerationFailure_ErrorCodes_t; + } HIDHost_EnumerationFailure_ErrorCodes_t; /* Function Prototypes: */ void HID_Host_USBTask(USB_ClassInfo_HID_Host_t* HIDInterfaceInfo); uint8_t HID_Host_ConfigurePipes(USB_ClassInfo_HID_Host_t* HIDInterfaceInfo, uint16_t ConfigDescriptorLength, uint8_t* DeviceConfigDescriptor); - void HID_Host_IsReportReceived(USB_ClassInfo_HID_Host_t* HIDInterfaceInfo); + bool HID_Host_IsReportReceived(USB_ClassInfo_HID_Host_t* HIDInterfaceInfo); /* Private Interface - For use in library only: */ #if !defined(__DOXYGEN__) diff --git a/LUFA/Drivers/USB/Class/Host/HIDParser.c b/LUFA/Drivers/USB/Class/Host/HIDParser.c index cee602a338..7ec003f27b 100644 --- a/LUFA/Drivers/USB/Class/Host/HIDParser.c +++ b/LUFA/Drivers/USB/Class/Host/HIDParser.c @@ -36,44 +36,53 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, uint16_t ReportSize, HID_ReportInfo_t* const ParserData) { HID_StateTable_t StateTable[HID_STATETABLE_STACK_DEPTH]; - HID_StateTable_t* CurrStateTable = &StateTable[0]; + HID_StateTable_t* CurrStateTable = &StateTable[0]; uint16_t UsageStack[HID_USAGE_STACK_DEPTH]; - uint8_t UsageStackSize = 0; - uint16_t BitOffsetIn = 0; - uint16_t BitOffsetOut = 0; + uint8_t UsageStackSize = 0; + uint16_t BitOffsetIn = 0; + uint16_t BitOffsetOut = 0; #if defined(HID_ENABLE_FEATURE_PROCESSING) - uint16_t BitOffsetFeature = 0; + uint16_t BitOffsetFeature = 0; #endif - HID_CollectionPath_t* CurrCollectionPath = NULL; + HID_CollectionPath_t* CurrCollectionPath = NULL; - memset((void*)ParserData, 0x00, sizeof(HID_ReportInfo_t)); - memset((void*)StateTable, 0x00, sizeof(StateTable)); + memset(ParserData, 0x00, sizeof(HID_ReportInfo_t)); + memset(StateTable, 0x00, sizeof(StateTable)); while (ReportSize) { + uint8_t HIDReportItem = *(ReportData++); uint32_t ReportItemData = 0; - switch (*ReportData & DATA_SIZE_MASK) + ReportSize--; + + switch (HIDReportItem & DATA_SIZE_MASK) { case DATA_SIZE_4: - ReportItemData = *((uint32_t*)(ReportData + 1)); + ReportItemData = *((uint32_t*)ReportData); + ReportSize -= 4; + ReportData += 4; break; case DATA_SIZE_2: - ReportItemData = *((uint16_t*)(ReportData + 1)); + ReportItemData = *((uint16_t*)ReportData); + ReportSize -= 2; + ReportData += 2; break; case DATA_SIZE_1: - ReportItemData = *((uint8_t*)(ReportData + 1)); + ReportItemData = *((uint8_t*)ReportData); + ReportSize -= 1; + ReportData += 1; break; } - switch (*ReportData & (TYPE_MASK | TAG_MASK)) + switch (HIDReportItem & (TYPE_MASK | TAG_MASK)) { case (TYPE_GLOBAL | TAG_GLOBAL_PUSH): - if (CurrStateTable == &StateTable[HID_STATETABLE_STACK_DEPTH]) + if (CurrStateTable == &StateTable[HID_STATETABLE_STACK_DEPTH - 1]) return HID_PARSE_HIDStackOverflow; - memcpy((CurrStateTable - 1), - CurrStateTable, + memcpy(CurrStateTable, + (CurrStateTable + 1), sizeof(HID_ReportItem_t)); CurrStateTable++; @@ -113,7 +122,7 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, uint16_t ReportSize, HID break; case (TYPE_GLOBAL | TAG_GLOBAL_REPORTID): CurrStateTable->ReportID = ReportItemData; - BitOffsetIn = 0; + BitOffsetIn = 0; BitOffsetOut = 0; break; case (TYPE_LOCAL | TAG_LOCAL_USAGE): @@ -141,7 +150,7 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, uint16_t ReportSize, HID while (CurrCollectionPath->Parent != NULL); { - if (CurrCollectionPath == &ParserData->CollectionPaths[HID_MAX_COLLECTIONS]) + if (CurrCollectionPath == &ParserData->CollectionPaths[HID_MAX_COLLECTIONS - 1]) return HID_PARSE_InsufficientCollectionPaths; CurrCollectionPath++; @@ -209,7 +218,7 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, uint16_t ReportSize, HID CurrReportItem->Attributes.Usage.Usage = 0; } - switch (*ReportData & TAG_MASK) + switch (HIDReportItem & TAG_MASK) { case TAG_MAIN_INPUT: CurrReportItem->ItemType = REPORT_ITEM_TYPE_In; @@ -236,11 +245,11 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, uint16_t ReportSize, HID #endif } -#if !defined(HID_INCLUDE_CONSTANT_DATA_ITEMS) +#if defined(HID_INCLUDE_CONSTANT_DATA_ITEMS) + ParserData->TotalReportItems++; +#else if (!(ReportItemData & IOF_CONSTANT)) ParserData->TotalReportItems++; -#else - ParserData->TotalReportItems++; #endif } @@ -249,32 +258,12 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, uint16_t ReportSize, HID break; } - if ((*ReportData & TYPE_MASK) == TYPE_MAIN) + if ((HIDReportItem & TYPE_MASK) == TYPE_MAIN) { CurrStateTable->Attributes.Usage.MinMax.Minimum = 0; CurrStateTable->Attributes.Usage.MinMax.Maximum = 0; UsageStackSize = 0; } - - switch (*ReportData & DATA_SIZE_MASK) - { - case DATA_SIZE_4: - ReportSize -= 5; - ReportData += 5; - break; - case DATA_SIZE_2: - ReportSize -= 3; - ReportData += 3; - break; - case DATA_SIZE_1: - ReportSize -= 2; - ReportData += 2; - break; - case DATA_SIZE_0: - ReportSize -= 1; - ReportData += 1; - break; - } } return HID_PARSE_Successful; diff --git a/LUFA/ManPages/ChangeLog.txt b/LUFA/ManPages/ChangeLog.txt index ed39769758..a28c0d65c1 100644 --- a/LUFA/ManPages/ChangeLog.txt +++ b/LUFA/ManPages/ChangeLog.txt @@ -15,6 +15,8 @@ * Fixed: * - Fixed possible lockup in the CDC device class driver, when the host sends data that is a multiple of the * endpoint's bank + * - Fixed swapped paremeters in the HID state memory copy call while processing a HID PUSH item in the HID report parser + * - Fixed memory corruption HID report parser when too many COLLECTION or PUSH items were processed * * * \section Sec_ChangeLog090810 Version 090810 diff --git a/LUFA/ManPages/LUFAPoweredProjects.txt b/LUFA/ManPages/LUFAPoweredProjects.txt index 971749120c..dad5c9b901 100644 --- a/LUFA/ManPages/LUFAPoweredProjects.txt +++ b/LUFA/ManPages/LUFAPoweredProjects.txt @@ -32,6 +32,7 @@ * * - Bicycle POV: http://www.code.google.com/p/bicycleledpov/ * - CAMTRIG, a remote Camera Trigger device: http://code.astraw.com/projects/motmot/camtrig + * - "Fingerlicking Wingdinger" (WARNING: Bad Language if no Javascript), a MIDI controller - http://noisybox.net/electronics/wingdinger/ * - Opendous-JTAG, an open source JTAG device: http://code.google.com/p/opendous-jtag/ * - Openkubus, an open source hardware-based authentication dongle: http://code.google.com/p/openkubus/ * - Orbee, a USB connected RGB Orb for notifications: http://www.franksworkshop.com.au/Electronics/Orbee/Orbee.htm