device: clamp EP0 OUT data copy to prevent buffer overrun#3722
Closed
sourabhligade wants to merge 1 commit into
Closed
device: clamp EP0 OUT data copy to prevent buffer overrun#3722sourabhligade wants to merge 1 commit into
sourabhligade wants to merge 1 commit into
Conversation
usbd_control_xfer_cb() copied xferred_bytes from the EP0 bounce buffer into the requester's buffer with no bound. A non-compliant host that sends an OUT data packet larger than the control transfer's data_len (= min(len, wLength), the buffer capacity) would overflow that buffer and over-count total_xferred. Clamp xferred_bytes to the remaining buffer space before the memcpy and accounting. Verified: ceedling test:all (61/61 pass), including test_usbd_control_out_overrun_clamp.
Collaborator
|
Why are you coping #3705 ?? |
Author
|
@HiFiPhile I am really sorry it was an llm agent mess-up! Apologies |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a memory corruption issue in the USB device control transfer path (
usbd_control_xfer_cb).usbd_control_xfer_cb()copiedxferred_bytesfrom the EP0 bounce buffer into the requester's buffer with no bound. A non-compliant or hostile host that sends an OUT data packet larger than the control transfer'sdata_len(min(len, wLength), the buffer capacity) would overflow that buffer and over-counttotal_xferred.This lives in the shared control handler, so it affects every DCD.
Fix
Clamp
xferred_bytesto the remaining buffer space (data_len - total_xferred) before thememcpyand accounting. No-op for conforming hosts (they never send more thanwLength).Test plan
ceedling test:all— 61/61 passtest_usbd_control_out_overrun_clampverifies that when the DCD reports a full EP0 packet on an 8-byte vendor OUT transfer, usbd clamps, completes the data stage, and queues the IN status stage (not another OUT data arm)