Closed
Description
Describe the set-up
- Software:
- STM32Cube MCU & MPU Packages
- Version:
- STM32Cube_FW_H7_V1.8.0
- Verification Hardware Platform:
- STM32H7B3
Describe the bug
-
Function:
- static void USBH_ParseDevDesc(USBH_DevDescTypeDef *dev_desc, uint8_t *buf, uint16_t length)
-
Location:
-
Type:
- Denial-of-Service.
-
Result:
- A malformed USB device packet may cause the system to hang when it tries to communicate with the outside world.
-
Description:
- The function USBH_ParseDevDesc() parses the device descriptor by input data from a USB device.
- The valid max packet size of the device descriptor should be 8, 16, 32, and 64 as USB specification required. However, the function USBH_ParseDevDesc() doesn’t check the value of dev_desc->bMaxPacketSize as shown in . The variable dev_desc->bMaxPacketSize will be used as the size to construct the control pipe between host and device as shown in . If bMaxPacketSize is zero, the firmware will get the error status USBH_FAIL in the function USBH_HandleControl() called by the function USBH_CtlReq() when trying to communicate with the outside world by IN and OUT pipe in the future and the host will try to re-enumerate. This process will loop again and again.
How To Reproduce
-
Running MSC_Standalone application on the STM32H7B3I platform
-
Plug a USB disk
-
Use the attached Bug1.txt to replace the USB device packet. Bug1.txt
Additional context
- To patch it, the program should check if dev_desc->bMaxPacketSize is equal to 8, 16, 32 or 64. At least, it should be greater than zero.