WIP win-vhid iter8: SetFeature reads input directly (unnumbered fix) + 9-byte input framing

Youw · Youw · commit 3e46f996e8a4 · 2026-06-07T01:02:25.000+03:00
diff --git a/src/tests/windows/driver/vhidmini.c b/src/tests/windows/driver/vhidmini.c
@@ -805,40 +805,48 @@ Return Value:
 --*/
 {
     NTSTATUS                status;
-    HID_XFER_PACKET         packet;
-    ULONG                   i;
-    ULONG                   scan;
+    WDFMEMORY               inputMemory;
+    size_t                  inputLen = 0;
+    PUCHAR                  inputBuf;
+    size_t                  i;
+    size_t                  scan;
 
     KdPrint(("SetFeature\n"));
 
-    status = RequestGetHidXferPacket_ToWriteToDevice(
-                            Request,
-                            &packet);
-    if( !NT_SUCCESS(status) ) {
+    //
+    // Read the feature report data directly. We deliberately do NOT use
+    // RequestGetHidXferPacket_ToWriteToDevice() here: that helper derives the
+    // report id from the request's *output* buffer length, which is 0 for an
+    // unnumbered device (report id 0) and makes the retrieval fail. We only
+    // need the raw bytes.
+    //
+    status = WdfRequestRetrieveInputMemory(Request, &inputMemory);
+    if (!NT_SUCCESS(status)) {
         return status;
     }
+    inputBuf = (PUCHAR)WdfMemoryGetBuffer(inputMemory, &inputLen);
 
     //
     // HIDAPI test: a Feature report carries a scenario command. Depending on
-    // whether the report is numbered, the command may be prefixed by a
-    // report-id byte, so scan the first few bytes for a recognised command
-    // (the report-id byte is 0 for this unnumbered device and the commands are
-    // non-zero, so this is unambiguous). The matching input report is replayed
-    // by the manual-queue timer (EvtTimerFunc).
+    // whether the report is prefixed by a report-id byte, the command is in the
+    // first couple of bytes; scan for a recognised TEST_VDEV_CMD_* value (the
+    // report-id byte is 0 and the commands are non-zero, so this is
+    // unambiguous). The matching input report is replayed by the manual-queue
+    // timer (EvtTimerFunc).
     //
-    scan = packet.reportBufferLen;
+    scan = inputLen;
     if (scan > 4) {
         scan = 4;
     }
     for (i = 0; i < scan; i++) {
-        UCHAR b = packet.reportBuffer[i];
+        UCHAR b = inputBuf[i];
         if (b == TEST_VDEV_CMD_EMIT_A || b == TEST_VDEV_CMD_EMIT_B) {
             InterlockedExchange(&QueueContext->DeviceContext->ScenarioCommand, (LONG)b);
             break;
         }
     }
 
-    WdfRequestSetInformation(Request, packet.reportBufferLen);
+    WdfRequestSetInformation(Request, inputLen);
     return STATUS_SUCCESS;
 }
 
@@ -1313,7 +1321,7 @@ Return Value:
     PMANUAL_QUEUE_CONTEXT   queueContext;
     WDFREQUEST              request;
     LONG                    command;
-    UCHAR                   inputReport[TEST_VDEV_REPORT_SIZE];
+    UCHAR                   inputReport[1 + TEST_VDEV_REPORT_SIZE];   /* report id + payload */
     static const UCHAR      inputA[TEST_VDEV_REPORT_SIZE] = { TEST_VDEV_INPUT_A_BYTES };
     static const UCHAR      inputB[TEST_VDEV_REPORT_SIZE] = { TEST_VDEV_INPUT_B_BYTES };
 
@@ -1341,11 +1349,12 @@ Return Value:
         return;
     }
 
-    RtlCopyMemory(inputReport,
+    inputReport[0] = 0;   /* report id (the device is unnumbered) */
+    RtlCopyMemory(inputReport + 1,
                   (command == TEST_VDEV_CMD_EMIT_B) ? inputB : inputA,
                   TEST_VDEV_REPORT_SIZE);
 
-    status = RequestCopyFromBuffer(request, inputReport, TEST_VDEV_REPORT_SIZE);
+    status = RequestCopyFromBuffer(request, inputReport, sizeof(inputReport));
     WdfRequestComplete(request, status);
 }
 
