You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In MSC, we need check the length before invoke block_write, int length = min(msc->state.data_out_length, sizeof(msc->state.data_buffer));
In HID and CDC, may need check the setup data length before next process, when buffer is small than request the stack may throw an error and return a stall state.
The best way may dynamic allocate memory for the setup data buffer, it need implement malloc and free. But I want keep all memories static in device mode.
buffer overflow and out of bound in tusb_rndis_device_request
if
setup_req->wLength > the size of cdc->encapsulated_buffer
, it could overflow.if
setup_req->wLength > 256
, it could overflow.out of bound
cdc->encapsulated_buffer
is receive from other usb device, which is recv inCDC_SEND_ENCAPSULATED_COMMAND
case.if
MessageLength
is too large, it could out of bound read.out of bound read in rndis_handle_set_msg
cdc->encapsulated_buffer
is receive from other usb devicewhen
m->InformationBufferOffset
is large, it could out of bound read!buffer overflow in tusb_cdc_device_request
if
setup_req->wLength > the size of dev_config->cmd_buffer
, it could overflow.buffer overflow in tusb_hid_device_request
if
setup_req->wLength > the size of dev_config->cmd_buffer
, it could overflow.out of bound read in msc_scsi_write_10
cbw
andcmd
is receive from other usb device, ifblock_count
too large , it could lead oob read.The text was updated successfully, but these errors were encountered: