USB buffer overflow on clear stall operation

[pierre-x]

Inside stm32f0xx_hal_pcd.c, on normal operation, when the receive buffer is not full, the receive callback CDC_Receive_FS calls USBD_CDC_ReceivePacket, which re-arms the endpoint to receive new data and sets ep->xfer_count to zero.

In the case of a full buffer, the host may reach a timeout and request a Clear Stall. USBD_LL_ClearStallEP will call HAL_PCD_EP_ClrStall to re-arm the endpoint WITHOUT resetting ep->xfer_count, which will cause a buffer overflow when receiving the next packet.

IMHO, HAL_PCD_EP_ClrStall() should include an ep->xfer_count = 0. The tricky part: the host can send Clear Stalls at any time, even when the buffer isn't full and the device isn't Stalled, in this case the buffer index shouldn't be cleared.

So maybe the solution is something like that:

HAL_StatusTypeDef HAL_PCD_EP_ClrStall(PCD_HandleTypeDef *hpcd, uint8_t ep_addr)
{
    // [...]
    if(ep->is_flowcontrol_triggered)
    {
        ep->xfer_count = 0;
    }

[ALABSTM]

Hi @pierre-x,

Thank you for this analysis and the proposal you made. I will forward your report to our development teams for further analysis. I will keep you informed.

With regards,

[ALABSTM]

@pierre-x,

May I ask whether the use case you reported has been tested by any means and the described issue reproduced, or is it analysis based on code review?

Thank you,

[ALABSTM]

ST Internal Reference: 201910

[pierre-x]

May I ask whether the use case you reported has been tested by any means and the described issue reproduced, or is it analysis based on code review?

It's a bug we have encountered, and that we can reproduce 100% of the time. We have corrected it as described in the bug report.

I can share by email some part of our source code if necessary.

[ALABSTM]

Hi @pierre-x,

May I ask you whether you can share a sample project allowing to reproduce the issue?

Thank you,

[ALABSTM]

Hi @pierre-x,

Any sample code or project to share please?

Thank you,