AnsweredAssumed Answered

Obvious bug in 5.0 USB stack, in file usb_cdc.c

Question asked by John Strohm on Oct 1, 2014
Latest reply on Oct 10, 2014 by jeremyzhou

Routines USB_Cdc_Allocate_Handle() and USB_Cdc_Free_Handle both walk through cdc_device_array.

 

cdc_device_struct_t   cdc_device_array[MAX_CDC_DEVICE];

 

static usb_status USB_Cdc_Allocate_Handle(cdc_handle_t* handle)

{

    uint32_t cnt = 0;

    for (;cnt< MAX_CDC_DEVICE;cnt++)

    {

        if (cdc_device_array[cnt].controller_handle == NULL)

        {

            *handle = (cdc_handle_t)&cdc_device_array[cnt];

            return USB_OK;

        }

    }

    return USBERR_DEVICE_BUSY;

}

 

static usb_status USB_Cdc_Free_Handle(cdc_handle_t handle)

{

    int32_t cnt = 0;

    for (;cnt< USBCFG_DEV_MAX_CLASS_OBJECT;cnt++)

    {

        if (((cdc_handle_t)&cdc_device_array[cnt]) == handle)

        {

            OS_Mem_zero((void *)handle, sizeof(cdc_device_struct_t));

            return USB_OK;

        }

    }

 

    return USBERR_INVALID_PARAM;

}

 

 

If some poor maintenance guy changes USBCFG_DEV_MAX_CLASS_OBJECT, and forgets to update MAX_CDC_DEVICE, he will break USB_Cdc_Free_Handle().

 

 

The for-statement in USB_Cdc_Free_Handle()

 

    for (;cnt< USBCFG_DEV_MAX_CLASS_OBJECT;cnt++)

 

should be identical to the for-statement in USB_Cdc_Allocate_Handle().

 

    for (;cnt< MAX_CDC_DEVICE;cnt++)

Outcomes