From c9ac17c9f5e793d1cba877a33e4d8353beff94e6 Mon Sep 17 00:00:00 2001
From: Philippe Teuwen <yobibe@gmail.com>
Date: Thu, 20 Apr 2017 09:06:47 +0200
Subject: [PATCH] Fix USB descriptors in SCL3711, NXP_PN533 and ASK LoGO also
 when corrupted by received data

The problem occurs in the following succession of events:

* Emit commands returning an answer larger than 16 bytes
* Re-enumerate USB devices without power cycle, e.g. a warm reboot of the PC

The bug can be reproduced for testing purposes with usbreset.c from
https://askubuntu.com/questions/645/how-do-you-reset-a-usb-device-from-the-command-line#661

$ lsusb|grep NFC
Bus 001 Device 010: ID 04e6:5591 SCM Microsystems, Inc. SCL3711-NFC&RW
$ sudo ./usbreset /dev/bus/usb/001/010
Resetting USB device /dev/bus/usb/001/010
Reset successful
$ echo -e "4a 01 00\n423000" |pn53x-tamashell
$ sudo ./usbreset /dev/bus/usb/001/010
Resetting USB device /dev/bus/usb/001/010
Error in ioctl: No such device
$ lsusb|grep NFC
... device disappeared

In the example above, reading 4 pages of a MFUL corrupted one single byte.
The entire buffer can be corrupted e.g. with fast-reading a MFUL EV1:
$ echo -e "4a 01 00\n423a0013"|pn53x-tamashell
---
 libnfc/drivers/pn53x_usb.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libnfc/drivers/pn53x_usb.c b/libnfc/drivers/pn53x_usb.c
index 184e578..30f3b6f 100644
--- a/libnfc/drivers/pn53x_usb.c
+++ b/libnfc/drivers/pn53x_usb.c
@@ -729,6 +729,7 @@ read:
   }
   // The PN53x command is done and we successfully received the reply
   pnd->last_error = 0;
+  DRIVER_DATA(pnd)->possibly_corrupted_usbdesc |= len > 16;
   return len;
 }