From a2001ac1ccf4d4919c8243fbc69aff0b68973d3f Mon Sep 17 00:00:00 2001
From: Dean Camera <dean@fourwalledcubicle.com>
Date: Tue, 11 Aug 2009 08:36:25 +0000
Subject: [PATCH] Fixed swapped paremeters in the HID state memory copy call
while processing a HID PUSH item in the HID report parser.
Fixed memory corruption HID report parser when too many COLLECTION or PUSH items were processed.
Make RNDIS device class driver include the CDC device class driver header, so that it can inherrit the required CDC functional descriptor macro.
Make HID host class driver include the HID report parser.
---
Demos/Device/ClassDriver/Mouse/Descriptors.h | 4 +-
.../ClassDriver/RNDISEthernet/Descriptors.h | 18 +----
Demos/Host/ClassDriver/CDCHost/CDCHost.h | 3 +-
Demos/Host/ClassDriver/MouseHost/MouseHost.c | 2 +-
Demos/Host/makefile | 2 +-
LUFA/Drivers/USB/Class/Common/RNDIS.h | 1 +
LUFA/Drivers/USB/Class/Host/HID.c | 14 +++-
LUFA/Drivers/USB/Class/Host/HID.h | 5 +-
LUFA/Drivers/USB/Class/Host/HIDParser.c | 75 ++++++++-----------
LUFA/ManPages/ChangeLog.txt | 2 +
LUFA/ManPages/LUFAPoweredProjects.txt | 1 +
11 files changed, 58 insertions(+), 69 deletions(-)
diff --git a/Demos/Device/ClassDriver/Mouse/Descriptors.h b/Demos/Device/ClassDriver/Mouse/Descriptors.h
index 0c3434260..8b8158ba8 100644
--- a/Demos/Device/ClassDriver/Mouse/Descriptors.h
+++ b/Demos/Device/ClassDriver/Mouse/Descriptors.h
@@ -37,11 +37,11 @@
#define _DESCRIPTORS_H_
/* Includes: */
- #include <avr/pgmspace.h>
-
#include <LUFA/Drivers/USB/USB.h>
#include <LUFA/Drivers/USB/Class/HID.h>
+ #include <avr/pgmspace.h>
+
/* Type Defines: */
/** Type define for the device configuration descriptor structure. This must be defined in the
* application code, as the configuration descriptor contains several sub-descriptors which
diff --git a/Demos/Device/ClassDriver/RNDISEthernet/Descriptors.h b/Demos/Device/ClassDriver/RNDISEthernet/Descriptors.h
index 28b801f1a..961a4f461 100644
--- a/Demos/Device/ClassDriver/RNDISEthernet/Descriptors.h
+++ b/Demos/Device/ClassDriver/RNDISEthernet/Descriptors.h
@@ -38,25 +38,11 @@
/* Includes: */
#include <LUFA/Drivers/USB/USB.h>
-
+ #include <LUFA/Drivers/USB/Class/RNDIS.h>
+
#include <avr/pgmspace.h>
/* Macros: */
- /** Macro to define a CDC class-specific functional descriptor. CDC functional descriptors have a
- * uniform structure but variable sized data payloads, thus cannot be represented accurately by
- * a single typedef struct. A macro is used instead so that functional descriptors can be created
- * easily by specifying the size of the payload. This allows sizeof() to work correctly.
- *
- * \param[in] DataSize Size in bytes of the CDC functional descriptor's data payload
- */
- #define CDC_FUNCTIONAL_DESCRIPTOR(DataSize) \
- struct \
- { \
- USB_Descriptor_Header_t Header; \
- uint8_t SubType; \
- uint8_t Data[DataSize]; \
- }
-
/** Endpoint number of the CDC device-to-host notification IN endpoint. */
#define CDC_NOTIFICATION_EPNUM 3
diff --git a/Demos/Host/ClassDriver/CDCHost/CDCHost.h b/Demos/Host/ClassDriver/CDCHost/CDCHost.h
index 87a0bbcac..ab31a5793 100644
--- a/Demos/Host/ClassDriver/CDCHost/CDCHost.h
+++ b/Demos/Host/ClassDriver/CDCHost/CDCHost.h
@@ -47,8 +47,7 @@
#include <LUFA/Drivers/Misc/TerminalCodes.h>
#include <LUFA/Drivers/Peripheral/SerialStream.h>
#include <LUFA/Drivers/Board/LEDs.h>
- #include <LUFA/Drivers/USB/USB.h>
- #include <LUFA/Drivers/USB/Class/Host/CDC.h>
+ #include <LUFA/Drivers/USB/USB.h>\
/* Macros: */
/** LED mask for the library LED driver, to indicate that the USB interface is not ready. */
diff --git a/Demos/Host/ClassDriver/MouseHost/MouseHost.c b/Demos/Host/ClassDriver/MouseHost/MouseHost.c
index 65fb4893a..cf2997bcd 100644
--- a/Demos/Host/ClassDriver/MouseHost/MouseHost.c
+++ b/Demos/Host/ClassDriver/MouseHost/MouseHost.c
@@ -105,7 +105,7 @@ int main(void)
USB_HostState = HOST_STATE_Configured;
break;
case HOST_STATE_Configured:
- if (HID_Host_ReportReceived(&Mouse_HID_Interface))
+ if (HID_Host_IsReportReceived(&Mouse_HID_Interface))
{
}
diff --git a/Demos/Host/makefile b/Demos/Host/makefile
index 253141330..937c8fac8 100644
--- a/Demos/Host/makefile
+++ b/Demos/Host/makefile
@@ -14,5 +14,5 @@
# code.
%:
-# make -C ClassDriver/ $@ <TODO: Re-enable after Host class drivers complete>
+ make -C ClassDriver/ $@
make -C LowLevel/ $@
diff --git a/LUFA/Drivers/USB/Class/Common/RNDIS.h b/LUFA/Drivers/USB/Class/Common/RNDIS.h
index 5c875b7de..88ee04f47 100644
--- a/LUFA/Drivers/USB/Class/Common/RNDIS.h
+++ b/LUFA/Drivers/USB/Class/Common/RNDIS.h
@@ -37,6 +37,7 @@
/* Includes: */
#include "../../USB.h"
+ #include "CDC.h"
#include <string.h>
diff --git a/LUFA/Drivers/USB/Class/Host/HID.c b/LUFA/Drivers/USB/Class/Host/HID.c
index 3a4faffbd..a42f8afa3 100644
--- a/LUFA/Drivers/USB/Class/Host/HID.c
+++ b/LUFA/Drivers/USB/Class/Host/HID.c
@@ -127,11 +127,21 @@ void HID_Host_USBTask(USB_ClassInfo_HID_Host_t* HIDInterfaceInfo)
}
-void HID_Host_IsReportReceived(USB_ClassInfo_HID_Host_t* HIDInterfaceInfo)
+bool HID_Host_IsReportReceived(USB_ClassInfo_HID_Host_t* HIDInterfaceInfo)
{
+ bool ReportReceived;
+
+ if ((USB_HostState != HOST_STATE_Configured) || !(HIDInterfaceInfo->State.Active))
+ return false;
+
Pipe_SelectPipe(HIDInterfaceInfo->Config.DataINPipeNumber);
+ Pipe_Unfreeze();
+
+ ReportReceived = Pipe_IsReadWriteAllowed();
+
+ Pipe_Freeze();
- return Pipe_IsReadWriteAllowed();
+ return ReportReceived;
}
#endif
diff --git a/LUFA/Drivers/USB/Class/Host/HID.h b/LUFA/Drivers/USB/Class/Host/HID.h
index 0386881d2..e67103a69 100644
--- a/LUFA/Drivers/USB/Class/Host/HID.h
+++ b/LUFA/Drivers/USB/Class/Host/HID.h
@@ -47,6 +47,7 @@
/* Includes: */
#include "../../USB.h"
#include "../Common/HID.h"
+ #include "HIDParser.h"
/* Enable C linkage for C++ Compilers: */
#if defined(__cplusplus)
@@ -95,14 +96,14 @@
HID_ENUMERROR_InvalidConfigDescriptor = 1, /**< The device returned an invalid Configuration Descriptor */
HID_ENUMERROR_NoHIDInterfaceFound = 2, /**< A compatible HID interface was not found in the device's Configuration Descriptor */
HID_ENUMERROR_EndpointsNotFound = 3, /**< Compatible HID endpoints were not found in the device's CDC interface */
- } CDCHost_EnumerationFailure_ErrorCodes_t;
+ } HIDHost_EnumerationFailure_ErrorCodes_t;
/* Function Prototypes: */
void HID_Host_USBTask(USB_ClassInfo_HID_Host_t* HIDInterfaceInfo);
uint8_t HID_Host_ConfigurePipes(USB_ClassInfo_HID_Host_t* HIDInterfaceInfo, uint16_t ConfigDescriptorLength,
uint8_t* DeviceConfigDescriptor);
- void HID_Host_IsReportReceived(USB_ClassInfo_HID_Host_t* HIDInterfaceInfo);
+ bool HID_Host_IsReportReceived(USB_ClassInfo_HID_Host_t* HIDInterfaceInfo);
/* Private Interface - For use in library only: */
#if !defined(__DOXYGEN__)
diff --git a/LUFA/Drivers/USB/Class/Host/HIDParser.c b/LUFA/Drivers/USB/Class/Host/HIDParser.c
index cee602a33..7ec003f27 100644
--- a/LUFA/Drivers/USB/Class/Host/HIDParser.c
+++ b/LUFA/Drivers/USB/Class/Host/HIDParser.c
@@ -36,44 +36,53 @@
uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, uint16_t ReportSize, HID_ReportInfo_t* const ParserData)
{
HID_StateTable_t StateTable[HID_STATETABLE_STACK_DEPTH];
- HID_StateTable_t* CurrStateTable = &StateTable[0];
+ HID_StateTable_t* CurrStateTable = &StateTable[0];
uint16_t UsageStack[HID_USAGE_STACK_DEPTH];
- uint8_t UsageStackSize = 0;
- uint16_t BitOffsetIn = 0;
- uint16_t BitOffsetOut = 0;
+ uint8_t UsageStackSize = 0;
+ uint16_t BitOffsetIn = 0;
+ uint16_t BitOffsetOut = 0;
#if defined(HID_ENABLE_FEATURE_PROCESSING)
- uint16_t BitOffsetFeature = 0;
+ uint16_t BitOffsetFeature = 0;
#endif
- HID_CollectionPath_t* CurrCollectionPath = NULL;
+ HID_CollectionPath_t* CurrCollectionPath = NULL;
- memset((void*)ParserData, 0x00, sizeof(HID_ReportInfo_t));
- memset((void*)StateTable, 0x00, sizeof(StateTable));
+ memset(ParserData, 0x00, sizeof(HID_ReportInfo_t));
+ memset(StateTable, 0x00, sizeof(StateTable));
while (ReportSize)
{
+ uint8_t HIDReportItem = *(ReportData++);
uint32_t ReportItemData = 0;
- switch (*ReportData & DATA_SIZE_MASK)
+ ReportSize--;
+
+ switch (HIDReportItem & DATA_SIZE_MASK)
{
case DATA_SIZE_4:
- ReportItemData = *((uint32_t*)(ReportData + 1));
+ ReportItemData = *((uint32_t*)ReportData);
+ ReportSize -= 4;
+ ReportData += 4;
break;
case DATA_SIZE_2:
- ReportItemData = *((uint16_t*)(ReportData + 1));
+ ReportItemData = *((uint16_t*)ReportData);
+ ReportSize -= 2;
+ ReportData += 2;
break;
case DATA_SIZE_1:
- ReportItemData = *((uint8_t*)(ReportData + 1));
+ ReportItemData = *((uint8_t*)ReportData);
+ ReportSize -= 1;
+ ReportData += 1;
break;
}
- switch (*ReportData & (TYPE_MASK | TAG_MASK))
+ switch (HIDReportItem & (TYPE_MASK | TAG_MASK))
{
case (TYPE_GLOBAL | TAG_GLOBAL_PUSH):
- if (CurrStateTable == &StateTable[HID_STATETABLE_STACK_DEPTH])
+ if (CurrStateTable == &StateTable[HID_STATETABLE_STACK_DEPTH - 1])
return HID_PARSE_HIDStackOverflow;
- memcpy((CurrStateTable - 1),
- CurrStateTable,
+ memcpy(CurrStateTable,
+ (CurrStateTable + 1),
sizeof(HID_ReportItem_t));
CurrStateTable++;
@@ -113,7 +122,7 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, uint16_t ReportSize, HID
break;
case (TYPE_GLOBAL | TAG_GLOBAL_REPORTID):
CurrStateTable->ReportID = ReportItemData;
- BitOffsetIn = 0;
+ BitOffsetIn = 0;
BitOffsetOut = 0;
break;
case (TYPE_LOCAL | TAG_LOCAL_USAGE):
@@ -141,7 +150,7 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, uint16_t ReportSize, HID
while (CurrCollectionPath->Parent != NULL);
{
- if (CurrCollectionPath == &ParserData->CollectionPaths[HID_MAX_COLLECTIONS])
+ if (CurrCollectionPath == &ParserData->CollectionPaths[HID_MAX_COLLECTIONS - 1])
return HID_PARSE_InsufficientCollectionPaths;
CurrCollectionPath++;
@@ -209,7 +218,7 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, uint16_t ReportSize, HID
CurrReportItem->Attributes.Usage.Usage = 0;
}
- switch (*ReportData & TAG_MASK)
+ switch (HIDReportItem & TAG_MASK)
{
case TAG_MAIN_INPUT:
CurrReportItem->ItemType = REPORT_ITEM_TYPE_In;
@@ -236,11 +245,11 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, uint16_t ReportSize, HID
#endif
}
-#if !defined(HID_INCLUDE_CONSTANT_DATA_ITEMS)
+#if defined(HID_INCLUDE_CONSTANT_DATA_ITEMS)
+ ParserData->TotalReportItems++;
+#else
if (!(ReportItemData & IOF_CONSTANT))
ParserData->TotalReportItems++;
-#else
- ParserData->TotalReportItems++;
#endif
}
@@ -249,32 +258,12 @@ uint8_t USB_ProcessHIDReport(const uint8_t* ReportData, uint16_t ReportSize, HID
break;
}
- if ((*ReportData & TYPE_MASK) == TYPE_MAIN)
+ if ((HIDReportItem & TYPE_MASK) == TYPE_MAIN)
{
CurrStateTable->Attributes.Usage.MinMax.Minimum = 0;
CurrStateTable->Attributes.Usage.MinMax.Maximum = 0;
UsageStackSize = 0;
}
-
- switch (*ReportData & DATA_SIZE_MASK)
- {
- case DATA_SIZE_4:
- ReportSize -= 5;
- ReportData += 5;
- break;
- case DATA_SIZE_2:
- ReportSize -= 3;
- ReportData += 3;
- break;
- case DATA_SIZE_1:
- ReportSize -= 2;
- ReportData += 2;
- break;
- case DATA_SIZE_0:
- ReportSize -= 1;
- ReportData += 1;
- break;
- }
}
return HID_PARSE_Successful;
diff --git a/LUFA/ManPages/ChangeLog.txt b/LUFA/ManPages/ChangeLog.txt
index ed3976975..a28c0d65c 100644
--- a/LUFA/ManPages/ChangeLog.txt
+++ b/LUFA/ManPages/ChangeLog.txt
@@ -15,6 +15,8 @@
* <b>Fixed:</b>
* - Fixed possible lockup in the CDC device class driver, when the host sends data that is a multiple of the
* endpoint's bank
+ * - Fixed swapped paremeters in the HID state memory copy call while processing a HID PUSH item in the HID report parser
+ * - Fixed memory corruption HID report parser when too many COLLECTION or PUSH items were processed
*
*
* \section Sec_ChangeLog090810 Version 090810
diff --git a/LUFA/ManPages/LUFAPoweredProjects.txt b/LUFA/ManPages/LUFAPoweredProjects.txt
index 971749120..dad5c9b90 100644
--- a/LUFA/ManPages/LUFAPoweredProjects.txt
+++ b/LUFA/ManPages/LUFAPoweredProjects.txt
@@ -32,6 +32,7 @@
*
* - Bicycle POV: http://www.code.google.com/p/bicycleledpov/
* - CAMTRIG, a remote Camera Trigger device: http://code.astraw.com/projects/motmot/camtrig
+ * - "Fingerlicking Wingdinger" (WARNING: Bad Language if no Javascript), a MIDI controller - http://noisybox.net/electronics/wingdinger/
* - Opendous-JTAG, an open source JTAG device: http://code.google.com/p/opendous-jtag/
* - Openkubus, an open source hardware-based authentication dongle: http://code.google.com/p/openkubus/
* - Orbee, a USB connected RGB Orb for notifications: http://www.franksworkshop.com.au/Electronics/Orbee/Orbee.htm
--
GitLab