From 0c9856f405ca64314fabd5e20a6b0dab4d4a776b Mon Sep 17 00:00:00 2001
From: Dean Camera <dean@fourwalledcubicle.com>
Date: Mon, 28 Mar 2016 13:41:25 +1100
Subject: Fixed invalid endpoint indexes causing memory corruption in device
 Clear/Set Feature standard requests (thanks to Peter Popovec).

---
 LUFA/Drivers/USB/Core/DeviceStandardReq.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

(limited to 'LUFA/Drivers/USB')

diff --git a/LUFA/Drivers/USB/Core/DeviceStandardReq.c b/LUFA/Drivers/USB/Core/DeviceStandardReq.c
index d21df8d54..e296d8d59 100644
--- a/LUFA/Drivers/USB/Core/DeviceStandardReq.c
+++ b/LUFA/Drivers/USB/Core/DeviceStandardReq.c
@@ -292,6 +292,7 @@ static void USB_Device_GetStatus(void)
 	switch (USB_ControlRequest.bmRequestType)
 	{
 		case (REQDIR_DEVICETOHOST | REQTYPE_STANDARD | REQREC_DEVICE):
+		{
 			#if !defined(NO_DEVICE_SELF_POWER)
 			if (USB_Device_CurrentlySelfPowered)
 			  CurrentStatus |= FEATURE_SELFPOWERED_ENABLED;
@@ -302,9 +303,16 @@ static void USB_Device_GetStatus(void)
 			  CurrentStatus |= FEATURE_REMOTE_WAKEUP_ENABLED;
 			#endif
 			break;
+		}
 		case (REQDIR_DEVICETOHOST | REQTYPE_STANDARD | REQREC_ENDPOINT):
+		{
 			#if !defined(CONTROL_ONLY_DEVICE)
-			Endpoint_SelectEndpoint((uint8_t)USB_ControlRequest.wIndex & ENDPOINT_EPNUM_MASK);
+			uint8_t EndpointIndex = ((uint8_t)USB_ControlRequest.wIndex & ENDPOINT_EPNUM_MASK);
+
+			if (EndpointIndex >= ENDPOINT_TOTAL_ENDPOINTS)
+				return;
+
+			Endpoint_SelectEndpoint(EndpointIndex);
 
 			CurrentStatus = Endpoint_IsStalled();
 
@@ -312,6 +320,7 @@ static void USB_Device_GetStatus(void)
 			#endif
 
 			break;
+		}
 		default:
 			return;
 	}
@@ -330,20 +339,23 @@ static void USB_Device_ClearSetFeature(void)
 	{
 		#if !defined(NO_DEVICE_REMOTE_WAKEUP)
 		case REQREC_DEVICE:
+		{
 			if ((uint8_t)USB_ControlRequest.wValue == FEATURE_SEL_DeviceRemoteWakeup)
 			  USB_Device_RemoteWakeupEnabled = (USB_ControlRequest.bRequest == REQ_SetFeature);
 			else
 			  return;
 
 			break;
+		}
 		#endif
 		#if !defined(CONTROL_ONLY_DEVICE)
 		case REQREC_ENDPOINT:
+		{
 			if ((uint8_t)USB_ControlRequest.wValue == FEATURE_SEL_EndpointHalt)
 			{
 				uint8_t EndpointIndex = ((uint8_t)USB_ControlRequest.wIndex & ENDPOINT_EPNUM_MASK);
 
-				if (EndpointIndex == ENDPOINT_CONTROLEP)
+				if (EndpointIndex == ENDPOINT_CONTROLEP || EndpointIndex >= ENDPOINT_TOTAL_ENDPOINTS)
 				  return;
 
 				Endpoint_SelectEndpoint(EndpointIndex);
@@ -364,6 +376,7 @@ static void USB_Device_ClearSetFeature(void)
 			}
 
 			break;
+		}
 		#endif
 		default:
 			return;
-- 
cgit v1.2.3