Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No validity checking on the variable cfg_desc->wTotalLength #76

Closed
TheSilentDawn opened this issue Oct 14, 2020 · 3 comments
Closed

No validity checking on the variable cfg_desc->wTotalLength #76

TheSilentDawn opened this issue Oct 14, 2020 · 3 comments
Assignees
Labels
enhancement New feature or request internal bug tracker Issue confirmed and reported into a ticket in the internal bug tracking system mw Middleware-related issue or pull-request. usb USB-related (host or device) issue or pull-request
Milestone

Comments

@TheSilentDawn
Copy link

TheSilentDawn commented Oct 14, 2020

Describe the set-up

  • Software:
    • STM32Cube MCU & MPU Packages
  • Version:
    • STM32Cube_FW_H7_V1.8.0
  • Verification Hardware Platform:
    • STM32H7B3

Describe the bug

  • Function:

    • static void USBH_ParseCfgDesc(USBH_CfgDescTypeDef *cfg_desc, uint8_t *buf, uint16_t length)
  • Location:

  • Type:

    • Buffer Overflow
  • Result:

    • The system could be configured incorrectly with wrong parameters.
  • Description:

    • The function USBH_ParseCfgDesc() parses the configuration descriptor, interface descriptor, and endpoint descriptor by input data from a USB device.
    • However, it doesn’t check the validity of the variable cfg_desc->wTotalLength compared with the total length of the input buffer as shown in
      cfg_desc->wTotalLength = LE16(buf + 2);
      . This will cause the following program including calling to the function USBH_GetNextDesc(), USBH_ParseInterfaceDesc() and USBH_ParseEPDesc() configure the system incorrectly.

How To Reproduce

  1. Running MSC_Standalone application on the STM32H7B3I platform

  2. Plug a USB disk

  3. Use the attached Bug2.txt to replace the USB device packet. Bug2.txt

Additional context

  • To patch it, the program should check if reach the end of the input buffer when plus cfg_desc->wTotalLength.
@ALABSTM ALABSTM self-assigned this Nov 2, 2020
@ALABSTM ALABSTM added the mw Middleware-related issue or pull-request. label Nov 2, 2020
@ALABSTM ALABSTM moved this from To do to Assigned in stm32cube-mcu-fw-dashboard Dec 2, 2020
@ALABSTM ALABSTM added the enhancement New feature or request label Dec 15, 2020
@ALABSTM ALABSTM added the usb USB-related (host or device) issue or pull-request label Jan 18, 2021
@ALABSTM ALABSTM moved this from Assigned to In progress in stm32cube-mcu-fw-dashboard Jan 18, 2021
@ALABSTM ALABSTM added the internal bug tracker Issue confirmed and reported into a ticket in the internal bug tracking system label Jan 18, 2021
@ALABSTM
Copy link
Contributor

ALABSTM commented Jan 18, 2021

ST Internal Reference: 99173

@CHAMSTM
Copy link

CHAMSTM commented Jul 26, 2021

Already fixed in USBH V3.4.0

@ALABSTM
Copy link
Contributor

ALABSTM commented Mar 14, 2022

Hi @TheSilentDawn,

Hope you're fine. Just to inform you the fix has been published in the frame of v1.10.0 release.

With regards,

@ALABSTM ALABSTM closed this as completed Mar 14, 2022
stm32cube-mcu-fw-dashboard automation moved this from To release to Done Mar 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request internal bug tracker Issue confirmed and reported into a ticket in the internal bug tracking system mw Middleware-related issue or pull-request. usb USB-related (host or device) issue or pull-request
Projects
Development

No branches or pull requests

3 participants