search

eclipse-threadx / usbx

Eclipse ThreadX - USBX is a high-performance USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Eclipse ThreadX RTOS
https://github.com/eclipse-threadx/rtos-docs/blob/main/rtos-docs/usbx/index.md
MIT License
157 stars 92 forks source link

wrong "packet_size" calculation for ISO/INT endpoint #50

Closed alambe94 closed 2 years ago

alambe94 commented 2 years ago

Wrong calculation if wMaxPacketSize has multi transfer per microframe

In file "ux_host_stack_new_endpoint_create.c" line 157

/* Number transaction over 2 additional is not allowed. */ n_tran = endpoint -> ux_endpoint_descriptor.wMaxPacketSize & UX_MAX_NUMBER_OF_TRANSACTIONS_MASK; if (n_tran >= UX_MAX_NUMBER_OF_TRANSACTIONS_MASK) { _ux_utility_memory_free(endpoint); return(UX_DESCRIPTOR_CORRUPTED); }

and at line no 185 which will cause packet_size to be a very large value

packet_size *= (n_tran + 1);

It should be

/* Number transaction over 2 additional is not allowed. */ n_tran = ((endpoint -> ux_endpoint_descriptor.wMaxPacketSize & UX_MAX_NUMBER_OF_TRANSACTIONS_MASK) >> UX_MAX_NUMBER_OF_TRANSACTIONS_SHIFT); if (n_tran > 2) { _ux_utility_memory_free(endpoint); return(UX_DESCRIPTOR_CORRUPTED); }

xiaocq2001 commented 2 years ago

Yes. Before uses n_trans, there should be n_tran >>= UX_MAX_NUMBER_OF_TRANSACTIONS_SHIFT;

I'm using

        n_tran = endpoint -> ux_endpoint_descriptor.wMaxPacketSize & UX_MAX_NUMBER_OF_TRANSACTIONS_MASK;
        if (n_tran >= UX_MAX_NUMBER_OF_TRANSACTIONS_MASK)
        {
            _ux_utility_memory_free(endpoint);
            return(UX_DESCRIPTOR_CORRUPTED);
        }

...

        n_tran >>= UX_MAX_NUMBER_OF_TRANSACTIONS_SHIFT;
        packet_size *= (n_tran + 1);

to skip bit operation on error case.

alambe94 commented 2 years ago

Fixed in V6.1.11