drivers: udc: fix buffer leak when the host omits control data stage

The previous setup packet reference will simply be overwritten when the host omits data (OUT) stage. If a new setup packet arrives before the previous data stage is complete, free the last setup packet buffer. Signed-off-by: Johann Fischer <johann.fischer@nordicsemi.no>
1 month ago · cd7a6e5e54
1 changed files with 14 additions and 2 deletions
--- a/drivers/usb/udc/udc_common.c
+++ b/drivers/usb/udc/udc_common.c
@ -981,13 +981,25 @@ void udc_ctrl_update_stage(const struct device *dev,
				@@ -981,13 +981,25 @@ void udc_ctrl_update_stage(const struct device *dev,
 	if (bi->setup && bi->ep == USB_CONTROL_EP_OUT) {
 		uint16_t length  = udc_data_stage_length(buf);

-		data->setup = buf;
-
 		if (data->stage != CTRL_PIPE_STAGE_SETUP) {
 			LOG_INF("Sequence %u not completed", data->stage);
+
+			if (data->stage == CTRL_PIPE_STAGE_DATA_OUT) {
+				/*
+				 * The last setup packet is "floating" because
+				 * DATA OUT stage was awaited. This setup
+				 * packet must be removed here because it will
+				 * never reach the stack.
+				 */
+				LOG_INF("Drop setup packet (%p)", (void *)data->setup);
+				net_buf_unref(data->setup);
+			}
+
 			data->stage = CTRL_PIPE_STAGE_SETUP;
 		}

+		data->setup = buf;
+
 		/*
 		 * Setup Stage has been completed (setup packet received),
 		 * regardless of the previous stage, this is now being reset.