From fa2a8fca69513d59b008159361ed741a753b6304 Mon Sep 17 00:00:00 2001 From: Dean Camera Date: Wed, 27 Feb 2013 19:57:28 +0000 Subject: Fixed potential NULL pointer dereference in the HID Host mode Class Driver (thanks to Pavel Kuzmin). --- LUFA/DoxygenPages/ChangeLog.txt | 1 + LUFA/Drivers/USB/Class/Host/HIDClassHost.c | 21 ++++++++++++--------- 2 files changed, 13 insertions(+), 9 deletions(-) (limited to 'LUFA') diff --git a/LUFA/DoxygenPages/ChangeLog.txt b/LUFA/DoxygenPages/ChangeLog.txt index 59d639dd2..caeb334c0 100644 --- a/LUFA/DoxygenPages/ChangeLog.txt +++ b/LUFA/DoxygenPages/ChangeLog.txt @@ -46,6 +46,7 @@ * - Fixed incorrect ordering of the linker options in the build system causing link failures in some cases * - Fixed bug in the TWI peripheral driver for the AVR8 devices causing incorrect failure codes to be returned in some cases (thanks to Peter K) * - Fixed swapped LED3 and LED4 masks for the Olimex-32U4 development board LED driver + * - Fixed potential NULL pointer dereference in the HID Host mode Class Driver (thanks to Pavel Kuzmin) * - Library Applications: * - Fixed broken RESET_TOGGLES_LIBUSB_COMPAT compile time option in the AVRISP-MKII project * - Fixed incompatibility in the CDC class bootloader on some systems (thanks to Sylvain Munaut) diff --git a/LUFA/Drivers/USB/Class/Host/HIDClassHost.c b/LUFA/Drivers/USB/Class/Host/HIDClassHost.c index 5e1ad3724..837c84100 100644 --- a/LUFA/Drivers/USB/Class/Host/HIDClassHost.c +++ b/LUFA/Drivers/USB/Class/Host/HIDClassHost.c @@ -57,7 +57,7 @@ uint8_t HID_Host_ConfigurePipes(USB_ClassInfo_HID_Host_t* const HIDInterfaceInfo USB_GetNextDescriptorComp(&ConfigDescriptorSize, &ConfigDescriptorData, DCOMP_HID_Host_NextHIDInterfaceEndpoint) != DESCRIPTOR_SEARCH_COMP_Found) { - if (DataINEndpoint || DataOUTEndpoint) + if (DataINEndpoint) break; do @@ -97,16 +97,19 @@ uint8_t HID_Host_ConfigurePipes(USB_ClassInfo_HID_Host_t* const HIDInterfaceInfo HIDInterfaceInfo->Config.DataINPipe.Size = le16_to_cpu(DataINEndpoint->EndpointSize); HIDInterfaceInfo->Config.DataINPipe.EndpointAddress = DataINEndpoint->EndpointAddress; HIDInterfaceInfo->Config.DataINPipe.Type = EP_TYPE_INTERRUPT; - - HIDInterfaceInfo->Config.DataOUTPipe.Size = le16_to_cpu(DataOUTEndpoint->EndpointSize); - HIDInterfaceInfo->Config.DataOUTPipe.EndpointAddress = DataOUTEndpoint->EndpointAddress; - HIDInterfaceInfo->Config.DataOUTPipe.Type = EP_TYPE_INTERRUPT; - + if (!(Pipe_ConfigurePipeTable(&HIDInterfaceInfo->Config.DataINPipe, 1))) return false; - - if (!(Pipe_ConfigurePipeTable(&HIDInterfaceInfo->Config.DataOUTPipe, 1))) - return false; + + if (DataOUTEndpoint) + { + HIDInterfaceInfo->Config.DataOUTPipe.Size = le16_to_cpu(DataOUTEndpoint->EndpointSize); + HIDInterfaceInfo->Config.DataOUTPipe.EndpointAddress = DataOUTEndpoint->EndpointAddress; + HIDInterfaceInfo->Config.DataOUTPipe.Type = EP_TYPE_INTERRUPT; + + if (!(Pipe_ConfigurePipeTable(&HIDInterfaceInfo->Config.DataOUTPipe, 1))) + return false; + } HIDInterfaceInfo->State.InterfaceNumber = HIDInterface->InterfaceNumber; HIDInterfaceInfo->State.HIDReportSize = LE16_TO_CPU(HIDDescriptor->HIDReportLength); -- cgit v1.2.3