From e49cad84e2798ddd4ee49d3684ce7b414d30ccb2 Mon Sep 17 00:00:00 2001 From: Jerzy Kasenberg Date: Sun, 1 May 2022 14:18:53 +0200 Subject: [PATCH] dcd_pic32: Fix memory overwrite in incoming data When transfer was finished rx_fifo_read() read all that was to read RXPKTRDY was cleared allowing next packet to be received. Then xfer_complete was called. Interrupt for OUT endpoint was left enable, that would not be a problem if data was handled fast and new transfer was scheduled. For MSC when host sends a lot of data this interrupt that was enabled could cause epn_handle_rx_int() to be called after transfer was completed and next was not scheduled yet. Without TU_ASSERT that was added to detect this, incoming data was written past buffer provided by user code resulting in random memory corruption. This just blocks RX interrupt when transfer is finished, and also only unmasked rx interrupts are handled. --- src/portable/microchip/pic32mz/dcd_pic32mz.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/portable/microchip/pic32mz/dcd_pic32mz.c b/src/portable/microchip/pic32mz/dcd_pic32mz.c index 1683d95b4..2103d41fb 100644 --- a/src/portable/microchip/pic32mz/dcd_pic32mz.c +++ b/src/portable/microchip/pic32mz/dcd_pic32mz.c @@ -564,6 +564,7 @@ static void epn_handle_rx_int(uint8_t epnum) TU_ASSERT(xfer->transferred <= xfer->total_len,); if (transferred < xfer->max_packet_size || xfer->transferred == xfer->total_len) { + USB_REGS->INTRRXEbits.w &= ~(1u << epnum); xfer_complete(xfer, XFER_RESULT_SUCCESS, true); } } @@ -692,7 +693,7 @@ void dcd_int_handler(uint8_t rhport) int i; uint8_t mask; __USBCSR2bits_t csr2_bits; - uint16_t rxints = USB_REGS->INTRRX; + uint16_t rxints = USB_REGS->INTRRX & USB_REGS->INTRRXEbits.w; uint16_t txints = USB_REGS->INTRTX; csr2_bits = USBCSR2bits; (void) rhport;