Fixed invalid endpoint indexes causing memory corruption in device Clear/Set Feature...

diff --git a/LUFA/DoxygenPages/ChangeLog.txt b/LUFA/DoxygenPages/ChangeLog.txt
index 6a84224..860f0b7 100644 (file)
--- a/LUFA/DoxygenPages/ChangeLog.txt
+++ b/LUFA/DoxygenPages/ChangeLog.txt
@@ -22,6 +22,7 @@
   *   - Fixed void pointer arithmetic in the low level and class driver RNDIS demo protocol decoders
   *   - Fixed low level RNDIS demo incorrectly setting the RNDIS state when a null packet filter was requested
   *   - Fixed missing entries in several project's Atmel Studio integration files, such as driver INF files
+  *   - Fixed invalid endpoint indexes causing memory corruption in device Clear/Set Feature standard requests (thanks to Peter Popovec)
   *
   *  <b>Changed:</b>
   *   - Added signed alternative libUSB driver for the AVRISP-MKII clone project, to support Atmel Studio 7 (thanks to Atmel)

diff --git a/LUFA/Drivers/USB/Core/DeviceStandardReq.c b/LUFA/Drivers/USB/Core/DeviceStandardReq.c
index d21df8d..e296d8d 100644 (file)
--- a/LUFA/Drivers/USB/Core/DeviceStandardReq.c
+++ b/LUFA/Drivers/USB/Core/DeviceStandardReq.c
@@ -292,6 +292,7 @@ static void USB_Device_GetStatus(void)
        switch (USB_ControlRequest.bmRequestType)
        {
                case (REQDIR_DEVICETOHOST | REQTYPE_STANDARD | REQREC_DEVICE):
+               {
                        #if !defined(NO_DEVICE_SELF_POWER)
                        if (USB_Device_CurrentlySelfPowered)
                          CurrentStatus |= FEATURE_SELFPOWERED_ENABLED;
@@ -302,9 +303,16 @@ static void USB_Device_GetStatus(void)
                          CurrentStatus |= FEATURE_REMOTE_WAKEUP_ENABLED;
                        #endif
                        break;
+               }
                case (REQDIR_DEVICETOHOST | REQTYPE_STANDARD | REQREC_ENDPOINT):
+               {
                        #if !defined(CONTROL_ONLY_DEVICE)
-                       Endpoint_SelectEndpoint((uint8_t)USB_ControlRequest.wIndex & ENDPOINT_EPNUM_MASK);
+                       uint8_t EndpointIndex = ((uint8_t)USB_ControlRequest.wIndex & ENDPOINT_EPNUM_MASK);
+
+                       if (EndpointIndex >= ENDPOINT_TOTAL_ENDPOINTS)
+                               return;
+
+                       Endpoint_SelectEndpoint(EndpointIndex);
 
                        CurrentStatus = Endpoint_IsStalled();
 
@@ -312,6 +320,7 @@ static void USB_Device_GetStatus(void)
                        #endif
 
                        break;
+               }
                default:
                        return;
        }
@@ -330,20 +339,23 @@ static void USB_Device_ClearSetFeature(void)
        {
                #if !defined(NO_DEVICE_REMOTE_WAKEUP)
                case REQREC_DEVICE:
+               {
                        if ((uint8_t)USB_ControlRequest.wValue == FEATURE_SEL_DeviceRemoteWakeup)
                          USB_Device_RemoteWakeupEnabled = (USB_ControlRequest.bRequest == REQ_SetFeature);
                        else
                          return;
 
                        break;
+               }
                #endif
                #if !defined(CONTROL_ONLY_DEVICE)
                case REQREC_ENDPOINT:
+               {
                        if ((uint8_t)USB_ControlRequest.wValue == FEATURE_SEL_EndpointHalt)
                        {
                                uint8_t EndpointIndex = ((uint8_t)USB_ControlRequest.wIndex & ENDPOINT_EPNUM_MASK);
 
-                               if (EndpointIndex == ENDPOINT_CONTROLEP)
+                               if (EndpointIndex == ENDPOINT_CONTROLEP || EndpointIndex >= ENDPOINT_TOTAL_ENDPOINTS)
                                  return;
 
                                Endpoint_SelectEndpoint(EndpointIndex);
@@ -364,6 +376,7 @@ static void USB_Device_ClearSetFeature(void)
                        }
 
                        break;
+               }
                #endif
                default:
                        return;