stm32_mw_usb_device icon indicating copy to clipboard operation
stm32_mw_usb_device copied to clipboard

Published 20 hours ago verified publisher icon STMicroelectronics

USBD_CtlSendData() is called with a pointer to stack allocated memory

Open jobasto opened this issue 2 years ago • 2 comments

Problem:

In Class/CDC/Src/usbd_cdc.c, Class/CDC_ECM/Src/usbd_cdc_ecm.c, Class/CCID/Src/usbd_ccid.c, Class/CCID/Src/usbd_ccid.c (and maybe others) USBD_CtlSendData() is called with pointer to stack allocated memory for its pbuf parameter.

Example:

https://github.com/STMicroelectronics/stm32_mw_usb_device/blob/555ce2b1f7960031f153c93ed4e1c0bb95f34c95/Class/CDC/Src/usbd_cdc.c#L433 https://github.com/STMicroelectronics/stm32_mw_usb_device/blob/555ce2b1f7960031f153c93ed4e1c0bb95f34c95/Class/CDC/Src/usbd_cdc.c#L438 https://github.com/STMicroelectronics/stm32_mw_usb_device/blob/555ce2b1f7960031f153c93ed4e1c0bb95f34c95/Class/CDC/Src/usbd_cdc.c#L494

USBD_CtlSendData() does not read the content of ifalt immediately but only stores the pointer to it via USBD_LL_Transmit()->HAL_PCD_EP_Transmit(). Reading only takes place when the transmit fifo empty interrupt fires. At that moment USBD_CDC_Setup() may already have returned and ifalt may have gone out of scope.

Solution:

Declare ifalt as const static. Examine the code for other locations where stack allocated memory is passed to USBD_CtlSendData(). Modify USBD_CtlSendData()'s signature from

USBD_StatusTypeDef USBD_CtlSendData(USBD_HandleTypeDef *pdev,
                                    uint8_t *pbuf, uint32_t len)

to

USBD_StatusTypeDef USBD_CtlSendData(USBD_HandleTypeDef *pdev,
                                    const uint8_t *pbuf, uint32_t len)

to be able to pass a const pointer without cast.

jobasto avatar Jun 02 '22 15:06 jobasto

The same applies to status_info, which is declared on the line after ifault.

billybednar avatar Jun 29 '22 16:06 billybednar

Hi @jobasto,

First of all, please excuse this delayed reply. Many thanks for this analysis. Your point looks relevant after following your reasoning. May I ask if you could reproduce the issue you described before digging any further?

With regards,

ALABSTM avatar Feb 13 '24 16:02 ALABSTM

Hi @jobasto,

I hope you are doing well. Please allow me to close this issue as no activity since a while. Thank you for your comprehension.

With regards,

ALABSTM avatar Jul 15 '24 09:07 ALABSTM

Hi @ALABSTM,

I'm wondering why this issue is closed because it is clearly a bug. My first report should suffice to show that. Unfortunately, I'm not working on USB anymore so I'm not able to support you in fixing this bug.

Best regards,

jobasto avatar Jul 15 '24 10:07 jobasto