From ebcd7067c9b86b8df8a3f9cf07ba76edd9e7440c Mon Sep 17 00:00:00 2001 From: GuavTek Date: Fri, 18 Oct 2024 18:05:58 +0200 Subject: [PATCH 1/2] Recover host enumeration from zero length descriptors --- src/host/usbh.c | 7 +++++++ src/tusb.c | 4 ++++ 2 files changed, 11 insertions(+) diff --git a/src/host/usbh.c b/src/host/usbh.c index b5df29f50..1b45fd1be 100644 --- a/src/host/usbh.c +++ b/src/host/usbh.c @@ -1645,6 +1645,13 @@ static bool _parse_configuration_descriptor(uint8_t dev_addr, tusb_desc_configur // desc_iad->bFunctionClass == desc_itf->bInterfaceClass); } + if ( 0 == tu_desc_len(p_desc) ) { + // A zero length descriptor indicates that the wTotalLength field is wrong. + // Parsed interfaces should still be usable + TU_LOG_USBH("Encountered a zero-length descriptor after %u bytes\r\n", (uint32_t)p_desc - (uint32_t)desc_cfg); + break; + } + TU_ASSERT( TUSB_DESC_INTERFACE == tu_desc_type(p_desc) ); tusb_desc_interface_t const* desc_itf = (tusb_desc_interface_t const*) p_desc; diff --git a/src/tusb.c b/src/tusb.c index e6f8055b7..799ffdce9 100644 --- a/src/tusb.c +++ b/src/tusb.c @@ -255,6 +255,10 @@ uint16_t tu_desc_get_interface_total_len(tusb_desc_interface_t const* desc_itf, ((tusb_desc_interface_t const*) p_desc)->bAlternateSetting == 0) { break; } + if (tu_desc_len(p_desc) == 0) { + // Escape infinite loop + break; + } len += tu_desc_len(p_desc); p_desc = tu_desc_next(p_desc); From 4212db1b83e472e669173b94f692e574c9f23720 Mon Sep 17 00:00:00 2001 From: GuavTek Date: Wed, 27 Nov 2024 22:19:42 +0100 Subject: [PATCH 2/2] Move desc_len sanity checks to start of loops --- src/host/usbh.c | 14 +++++++------- src/tusb.c | 8 ++++---- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/src/host/usbh.c b/src/host/usbh.c index 1b45fd1be..fe5bf1c9e 100644 --- a/src/host/usbh.c +++ b/src/host/usbh.c @@ -1631,6 +1631,13 @@ static bool _parse_configuration_descriptor(uint8_t dev_addr, tusb_desc_configur // parse each interfaces while( p_desc < desc_end ) { + if ( 0 == tu_desc_len(p_desc) ) { + // A zero length descriptor indicates that the device is off spec (e.g. wrong wTotalLength). + // Parsed interfaces should still be usable + TU_LOG_USBH("Encountered a zero-length descriptor after %u bytes\r\n", (uint32_t)p_desc - (uint32_t)desc_cfg); + break; + } + uint8_t assoc_itf_count = 1; // Class will always starts with Interface Association (if any) and then Interface descriptor @@ -1645,13 +1652,6 @@ static bool _parse_configuration_descriptor(uint8_t dev_addr, tusb_desc_configur // desc_iad->bFunctionClass == desc_itf->bInterfaceClass); } - if ( 0 == tu_desc_len(p_desc) ) { - // A zero length descriptor indicates that the wTotalLength field is wrong. - // Parsed interfaces should still be usable - TU_LOG_USBH("Encountered a zero-length descriptor after %u bytes\r\n", (uint32_t)p_desc - (uint32_t)desc_cfg); - break; - } - TU_ASSERT( TUSB_DESC_INTERFACE == tu_desc_type(p_desc) ); tusb_desc_interface_t const* desc_itf = (tusb_desc_interface_t const*) p_desc; diff --git a/src/tusb.c b/src/tusb.c index 799ffdce9..66c835e61 100644 --- a/src/tusb.c +++ b/src/tusb.c @@ -247,6 +247,10 @@ uint16_t tu_desc_get_interface_total_len(tusb_desc_interface_t const* desc_itf, p_desc = tu_desc_next(p_desc); while (len < max_len) { + if (tu_desc_len(p_desc) == 0) { + // Escape infinite loop + break; + } // return on IAD regardless of itf count if (tu_desc_type(p_desc) == TUSB_DESC_INTERFACE_ASSOCIATION) { return len; @@ -255,10 +259,6 @@ uint16_t tu_desc_get_interface_total_len(tusb_desc_interface_t const* desc_itf, ((tusb_desc_interface_t const*) p_desc)->bAlternateSetting == 0) { break; } - if (tu_desc_len(p_desc) == 0) { - // Escape infinite loop - break; - } len += tu_desc_len(p_desc); p_desc = tu_desc_next(p_desc);