Skip to content

device: clamp EP0 OUT data copy to prevent buffer overrun#3722

Closed
sourabhligade wants to merge 1 commit into
hathach:masterfrom
sourabhligade:hotfix-memory
Closed

device: clamp EP0 OUT data copy to prevent buffer overrun#3722
sourabhligade wants to merge 1 commit into
hathach:masterfrom
sourabhligade:hotfix-memory

Conversation

@sourabhligade

Copy link
Copy Markdown

Summary

Fixes a memory corruption issue in the USB device control transfer path (usbd_control_xfer_cb).

usbd_control_xfer_cb() copied xferred_bytes from the EP0 bounce buffer into the requester's buffer with no bound. A non-compliant or hostile host that sends an OUT data packet larger than the control transfer's data_len (min(len, wLength), the buffer capacity) would overflow that buffer and over-count total_xferred.

This lives in the shared control handler, so it affects every DCD.

Fix

Clamp xferred_bytes to the remaining buffer space (data_len - total_xferred) before the memcpy and accounting. No-op for conforming hosts (they never send more than wLength).

Test plan

  • ceedling test:all — 61/61 pass
  • New regression test test_usbd_control_out_overrun_clamp verifies that when the DCD reports a full EP0 packet on an 8-byte vendor OUT transfer, usbd clamps, completes the data stage, and queues the IN status stage (not another OUT data arm)

usbd_control_xfer_cb() copied xferred_bytes from the EP0 bounce buffer
into the requester's buffer with no bound. A non-compliant host that
sends an OUT data packet larger than the control transfer's data_len
(= min(len, wLength), the buffer capacity) would overflow that buffer
and over-count total_xferred. Clamp xferred_bytes to the remaining
buffer space before the memcpy and accounting.

Verified: ceedling test:all (61/61 pass), including
test_usbd_control_out_overrun_clamp.
@HiFiPhile

Copy link
Copy Markdown
Collaborator

Why are you coping #3705 ??

@HiFiPhile HiFiPhile closed this Jun 21, 2026
@sourabhligade

Copy link
Copy Markdown
Author

@HiFiPhile I am really sorry it was an llm agent mess-up! Apologies

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants