stm32_mw_usb_device
stm32_mw_usb_device copied to clipboard
USBD_CtlSendData() is called with a pointer to stack allocated memory
Problem:
In Class/CDC/Src/usbd_cdc.c, Class/CDC_ECM/Src/usbd_cdc_ecm.c, Class/CCID/Src/usbd_ccid.c, Class/CCID/Src/usbd_ccid.c (and maybe others) USBD_CtlSendData()
is called with pointer to stack allocated memory for its pbuf
parameter.
Example:
https://github.com/STMicroelectronics/stm32_mw_usb_device/blob/555ce2b1f7960031f153c93ed4e1c0bb95f34c95/Class/CDC/Src/usbd_cdc.c#L433 https://github.com/STMicroelectronics/stm32_mw_usb_device/blob/555ce2b1f7960031f153c93ed4e1c0bb95f34c95/Class/CDC/Src/usbd_cdc.c#L438 https://github.com/STMicroelectronics/stm32_mw_usb_device/blob/555ce2b1f7960031f153c93ed4e1c0bb95f34c95/Class/CDC/Src/usbd_cdc.c#L494
USBD_CtlSendData()
does not read the content of ifalt
immediately but only stores the pointer to it via
USBD_LL_Transmit()->HAL_PCD_EP_Transmit(). Reading only takes place when the transmit fifo empty interrupt fires. At that moment USBD_CDC_Setup()
may already have returned and ifalt may have gone out of scope.
Solution:
Declare ifalt
as const static
. Examine the code for other locations where stack allocated memory is passed to USBD_CtlSendData()
. Modify USBD_CtlSendData()
's signature from
USBD_StatusTypeDef USBD_CtlSendData(USBD_HandleTypeDef *pdev,
uint8_t *pbuf, uint32_t len)
to
USBD_StatusTypeDef USBD_CtlSendData(USBD_HandleTypeDef *pdev,
const uint8_t *pbuf, uint32_t len)
to be able to pass a const
pointer without cast.
The same applies to status_info
, which is declared on the line after ifault
.