Hardfault in tusb_fifo.c when absolute write index is passed to ff_push_n #3446
Description
Operating System
Others
Commit SHA
Board
fystec ucan (stm32f072)
Firmware
Custom firmware using CDC, based on examples/device/cdc_dual_ports. FIFO depth configured as 128 bytes in tusb_config.h.
What happened ?
Hardfault happened while printing at a fast rate. Asked AI to analyze the issue based on the stack trace and the variable contents. This looks like a legit bug, but I can't judge myself.
The bug occurs in tusb_fifo.c. TinyUSB uses absolute indices [0, 2*depth) for FIFO state. When FIFO wraps, an absolute wr_idx > depth is normal (for depth=128, wr_idx=132 is valid and maps to relative 4).
However, ff_push_n (and possibly ff_pull_n) receives the absolute wr_idx, and internally calculates linear space via 'lin_count = depth - wr_ptr'. When wr_idx=132 is passed directly, 128-132 = -4, and as uint16_t this underflows to 65532, causing memcpy to attempt an enormous copy and triggering a hardfault.
The hardfault happened in ff_push_n with wr_idx=132 for a fifo with depth 128. Top of the call stack is tud_cdc_n_write_str.
How to reproduce ?
(unconfirmed)
- Set up a TinyUSB CDC device with FIFO depth = 128
- Call tud_cdc_n_write_str several times to cause wrap-around, so wr_idx > 128 (e.g., 132)
- Observe hardfault after FIFO wraps
Debug Log as txt file (LOG/CFG_TUSB_DEBUG=2)
Not available
Screenshots
No response
I have checked existing issues, discussion and documentation
- I confirm I have checked existing issues, discussion and documentation.