From 907640e40ead34649c64c51fc79646b64981876f Mon Sep 17 00:00:00 2001 From: Stefan Kerkmann Date: Wed, 5 Oct 2022 21:26:53 +0200 Subject: [PATCH] [Bug] XAP: Fix unaligned memory access in config blob handler and USB task loop condition (#18612) * Fix unaligned memory access in config blob handler data* points in the middle of an u8 array, casting this to an u16* and dereferencing it leads to an unaligned memory access - which hardfaults on Cortex M0 mcus e.g. RP2040s. * Actually read until there is no more data to be read --- quantum/xap/xap_handlers.c | 3 ++- tmk_core/protocol/chibios/usb_main.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/quantum/xap/xap_handlers.c b/quantum/xap/xap_handlers.c index 2938892d508..3c3bbdace7f 100644 --- a/quantum/xap/xap_handlers.c +++ b/quantum/xap/xap_handlers.c @@ -64,7 +64,8 @@ bool xap_respond_get_config_blob_chunk(xap_token_t token, const void *data, size return false; } - uint16_t offset = *((uint16_t *)data); + uint16_t offset; + memcpy(&offset, data, sizeof(uint16_t)); xap_route_qmk_config_blob_chunk_t ret = {0}; diff --git a/tmk_core/protocol/chibios/usb_main.c b/tmk_core/protocol/chibios/usb_main.c index 795cc144381..18c7d3f246e 100644 --- a/tmk_core/protocol/chibios/usb_main.c +++ b/tmk_core/protocol/chibios/usb_main.c @@ -1165,7 +1165,7 @@ void xap_task(void) { uint8_t buffer[XAP_EPSIZE]; size_t size = 0; do { - size_t size = chnReadTimeout(&drivers.xap_driver.driver, buffer, sizeof(buffer), TIME_IMMEDIATE); + size = chnReadTimeout(&drivers.xap_driver.driver, buffer, sizeof(buffer), TIME_IMMEDIATE); if (size > 0) { xap_receive_base(buffer); }