From b4eaf7dbafbe66b8f0de1c6a292c7b4271b94697 Mon Sep 17 00:00:00 2001
From: Saleem Rashid <github@saleemrashid.com>
Date: Wed, 23 Nov 2016 19:22:28 +0000
Subject: [PATCH] timer: Fix non-critical integer overflow (#129)

Every 4294967295 milliseconds (2 ^ 32 - 1), system_millis will overflow.
This means that every 49.71 days, system_millis will reset to zero.
Comparisons like `system_millis < (system_millis + 1)` would fail if the
latter had overflown and the former had not.

This is non-critical because the worst case is that one second could be
skipped or the screen could lock early.

This poses no threat to the exponential backoff used for protection
against brute force.
---
 firmware/layout2.c | 2 +-
 firmware/trezor.c  | 2 +-
 firmware/usb.c     | 5 +++--
 timer.c            | 2 +-
 timer.h            | 4 +---
 5 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/firmware/layout2.c b/firmware/layout2.c
index 91c409b6e..cac754c6b 100644
--- a/firmware/layout2.c
+++ b/firmware/layout2.c
@@ -84,7 +84,7 @@ void layoutHome(void)
 	oledRefresh();
 
 	// Reset lock screen timeout
-	system_millis_lock = system_millis + SCREEN_TIMEOUT_MILLIS;
+	system_millis_lock_start = system_millis;
 }
 
 const char *str_amount(uint64_t amnt, const char *abbr, char *buf, int len)
diff --git a/firmware/trezor.c b/firmware/trezor.c
index 129fd61a4..f5a64ae83 100644
--- a/firmware/trezor.c
+++ b/firmware/trezor.c
@@ -79,7 +79,7 @@ void check_lock_screen(void)
 
 	// if homescreen is shown for longer than 10 minutes, lock too
 	if (layoutLast == layoutHome) {
-		if (system_millis >= system_millis_lock) {
+		if ((system_millis - system_millis_lock_start) >= 60000) {
 			// lock the screen
 			session_clear(true);
 			layoutScreensaver();
diff --git a/firmware/usb.c b/firmware/usb.c
index df50f1640..e15dd4979 100644
--- a/firmware/usb.c
+++ b/firmware/usb.c
@@ -429,8 +429,9 @@ char usbTiny(char set)
 
 void usbSleep(uint32_t millis)
 {
-	uint32_t end = system_millis + millis;
-	while (end > system_millis) {
+	uint32_t start = system_millis;
+
+	while ((system_millis - start) < millis) {
 		usbd_poll(usbd_dev);
 	}
 }
diff --git a/timer.c b/timer.c
index e45ce740f..aad29663f 100644
--- a/timer.c
+++ b/timer.c
@@ -27,7 +27,7 @@
 volatile uint32_t system_millis;
 
 /* Screen timeout */
-uint32_t system_millis_lock;
+uint32_t system_millis_lock_start;
 
 /*
  * Initialise the Cortex-M3 SysTick timer
diff --git a/timer.h b/timer.h
index 53713cdfe..69759c33f 100644
--- a/timer.h
+++ b/timer.h
@@ -24,9 +24,7 @@
 extern volatile uint32_t system_millis;
 
 /* Screen timeout */
-extern uint32_t system_millis_lock;
-
-#define SCREEN_TIMEOUT_MILLIS (1000 * 60 * 10) /* 10 minutes */
+extern uint32_t system_millis_lock_start;
 
 void timer_init(void);