New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix buffer overflow #4
Conversation
In case the descriptor contains more endpoints than USBH_MAX_NUM_ENDPOINTS the Ep_Desc array and subsequent members of USBH_HandleTypeDef that contains function pointers are overwritten allowing arbitrary code execution.
|
Hi @Defonceuse, Thank you for this fix proposal. The point will be forwarded to our development teams. I will get back to you as soon as I have their feedback. May I ask you whether you noticed the point just by reviewing the code or whether you actually experienced a failure due to this implementation? Thank you in advance for your reply. With regards, |
|
Hi @ALABSTM , We were unable to get a security contact at your company via other channels, please contact us at vulnerability@ncsc.ch so we can discuss this case. |
|
Your request has been forwarded internally. I will get back to you as soon as I have an answer. With regards, |
|
Hi @ALABSTM, Sorry for the delay, I overlooked your question.
I became aware of the problem when I connected a USB Mass Storage device that has more than USBH_MAX_NUM_ENDPOINTS and an exception handler was immediately triggered. I did not review the code as it was treated as third party code. Had it been reviewed the vulnerability would likely become obvious when checking for the coding rule that array indexes must be range-checked before use in case it is received from an external/untrusted source. Kind regards, |
|
It was missed to merge this important vulnerability fix into recent releases. Please confirm to merge into the upcoming release. |
|
Hi, |
|
Release v3.5.1 addresses CVE-2021-42553 |
|
Hi @Defonceuse, Really sorry for this delay. Your pull-request has just been merged. Thank you very much for your contribution. Looking forward to receiving other ones. With regards, |
|
Really sorry for this delay too. Thank you very much for the notification about the CVE identifier creation. A With regards, |
In case the descriptor contains more endpoints than USBH_MAX_NUM_ENDPOINTS the Ep_Desc array and subsequent members of USBH_HandleTypeDef that contains function pointers are overwritten allowing arbitrary code execution.
IMPORTANT INFORMATION
Contributor License Agreement (CLA)