From 6229d623b03cb0999cc8920be45252e333aff084 Mon Sep 17 00:00:00 2001
From: Michael Sparmann <theseven@rockbox.org>
Date: Thu, 10 Nov 2011 10:37:02 +0000
Subject: Rework FS#12310 fix (r30906) for better readability. No functional
 change.

git-svn-id: svn://svn.rockbox.org/rockbox/trunk@30953 a1c6a512-1295-4272-9138-f99709370657
---
 firmware/target/arm/usb-s3c6400x.c | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

(limited to 'firmware/target')

diff --git a/firmware/target/arm/usb-s3c6400x.c b/firmware/target/arm/usb-s3c6400x.c
index af90be6944..4476549aa7 100644
--- a/firmware/target/arm/usb-s3c6400x.c
+++ b/firmware/target/arm/usb-s3c6400x.c
@@ -48,10 +48,18 @@ struct ep_type
 } ;
 
 static struct ep_type endpoints[USB_NUM_ENDPOINTS];
-static union
+
+/* USB control requests may be up to 64 bytes in size.
+   Even though we never use anything more than the 8 header bytes,
+   we are required to accept request packets of up to 64 bytes size.
+   Provide buffer space for these additional payload bytes so that
+   e.g. write descriptor requests (which are rejected by us, but the
+   payload is transferred anyway) do not cause memory corruption.
+   Fixes FS#12310. -- Michael Sparmann (theseven) */
+static struct
 {
-    unsigned char data[64];
-    struct usb_ctrlrequest req;
+    struct usb_ctrlrequest header; /* 8 bytes */
+    unsigned char payload[64 - sizeof(struct usb_ctrlrequest)];
 } ctrlreq USB_DEVBSS_ATTR;
 
 int usb_drv_port_speed(void)
@@ -74,7 +82,7 @@ static void reset_endpoints(int reinit)
     DOEPCTL0 = 0x8000;  /* EP0 OUT ACTIVE */
     DOEPTSIZ0 = 0x20080040;  /* EP0 OUT Transfer Size:
                                 64 Bytes, 1 Packet, 1 Setup Packet */
-    DOEPDMA0 = &ctrlreq.data;
+    DOEPDMA0 = &ctrlreq;
     DOEPCTL0 |= 0x84000000;  /* EP0 OUT ENABLE CLEARNAK */
     if (reinit)
     {
@@ -247,14 +255,14 @@ void INT_USB_FUNC(void)
                     invalidate_dcache();
                     if (i == 0)
                     {
-                        if (ctrlreq.req.bRequest == 5)
+                        if (ctrlreq.header.bRequest == 5)
                         {
                             /* Already set the new address here,
                                before passing the packet to the core.
                                See below (usb_drv_set_address) for details. */
-                            DCFG = (DCFG & ~0x7F0) | (ctrlreq.req.wValue << 4);
+                            DCFG = (DCFG & ~0x7F0) | (ctrlreq.header.wValue << 4);
                         }
-                        usb_core_control_request(&ctrlreq.req);
+                        usb_core_control_request(&ctrlreq.header);
                     }
                     else panicf("USB: SETUP done on OUT EP%d!?", i);
                 }
@@ -262,7 +270,7 @@ void INT_USB_FUNC(void)
                 if (!i)
                 {
                     DOEPTSIZ0 = 0x20080040;
-                    DOEPDMA0 = &ctrlreq.data;
+                    DOEPDMA0 = &ctrlreq;
                     DOEPCTL0 |= 0x84000000;
                 }
                 DOEPINT(i) = epints;
-- 
cgit v1.2.3