From 453ba529a6db41ad9e0e8cbfdedfcb48b059693e Mon Sep 17 00:00:00 2001 From: Ryzee119 Date: Fri, 28 Jan 2022 14:02:34 +1030 Subject: [PATCH] OHCI: Fix array out of bounds issue If using a USB hub, a request outside the array size can occur Original line: https://github.com/hathach/tinyusb/blob/ffb257ac17f162bc5a4c26596d7a1e954db98aa5/src/portable/ohci/ohci.h#L162 It can happen in a few places but one such example is here: https://github.com/hathach/tinyusb/blob/ffb257ac17f162bc5a4c26596d7a1e954db98aa5/src/portable/ohci/ohci.c#L460 ie. if HUB address is 5, this would be an array index out of bounds on control endpoints as `CFG_TUH_DEVICE_MAX+1` is only 5. This fix just includes num of hubs in the reserve array size. Fixing locally fixed this issue. --- src/portable/ohci/ohci.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/portable/ohci/ohci.h b/src/portable/ohci/ohci.h index cd90aa45a..8db097b06 100644 --- a/src/portable/ohci/ohci.h +++ b/src/portable/ohci/ohci.h @@ -159,7 +159,7 @@ typedef struct TU_ATTR_ALIGNED(256) struct { ohci_ed_t ed; ohci_gtd_t gtd; - }control[CFG_TUH_DEVICE_MAX+1]; + }control[CFG_TUH_DEVICE_MAX+CFG_TUH_HUB+1]; // ochi_itd_t itd[OHCI_MAX_ITD]; // itd requires alignment of 32 ohci_ed_t ed_pool[HCD_MAX_ENDPOINT];