Skip to content

Prevent buffer overflow in bth_device.c#1090

Merged
hathach merged 2 commits into
hathach:masterfrom
szymonh:master
Sep 13, 2021
Merged

Prevent buffer overflow in bth_device.c#1090
hathach merged 2 commits into
hathach:masterfrom
szymonh:master

Conversation

@szymonh
Copy link
Copy Markdown
Contributor

@szymonh szymonh commented Sep 12, 2021

Address possible buffer overflow in bth_device.c as described in issue #880 (btd_control_xfer_cb).

Passing size of _btd_itf.hci_cmd as len parameter to tud_control_xfer so that actual _ctrl_xfer.data_len will be set to minimum of buffer size and request wLength.

hathach
hathach reviewed Sep 13, 2021
View reviewed changes
Copy link
Copy Markdown
Owner

@hathach hathach left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you for your PR, look good to me. Though let's wait for @kasjer feedback since he is original author of bth driver.

@hathach hathach requested a review from kasjer September 13, 2021 05:42
kasjer
kasjer reviewed Sep 13, 2021
View reviewed changes
Comment thread src/class/bth/bth_device.c
else return false;

return tud_control_xfer(rhport, request, &_btd_itf.hci_cmd, request->wLength);
return tud_control_xfer(rhport, request, &_btd_itf.hci_cmd, sizeof(_btd_itf.hci_cmd));
Copy link
Copy Markdown
Collaborator

@kasjer kasjer Sep 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would also consider adding similar size check in call to tud_bt_hci_cmd_cb() in line 224, as not to deceive BT stack about size of command buffer if wLength can not be trusted.

if (tud_bt_hci_cmd_cb) tud_bt_hci_cmd_cb(&_btd_itf.hci_cmd,
              tu_min16(sizeof(_btd_itf.hci_cmd), request->wLength));

kasjer
kasjer reviewed Sep 13, 2021
View reviewed changes
Copy link
Copy Markdown
Collaborator

@kasjer kasjer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

hathach
hathach approved these changes Sep 13, 2021
View reviewed changes
Copy link
Copy Markdown
Owner

@hathach hathach left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much for your PR and @kasjer for helping with the review. Will merge when ci passed.

@hathach hathach merged commit 7e6f954 into hathach:master Sep 13, 2021
7FM pushed a commit to 7FM/tinyusb that referenced this pull request Aug 23, 2025
@peterharperuk @earlephilhower
Bssid (hathach#1212)
0b0931a 
* Add BSSID connection options to PicoW

When working with a mesh or multiple APs with the same SSID, it is often
necessary to specify which of the APs to connect to in order to maximize
the WiFi strength.

Add BSSID options to the SDK's PicoW cyw43_arch_wifi_connect_XXX APIs.

Fixes hathach#1090

Co-authored-by: Earle F. Philhower, III <earlephilhower@yahoo.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kasjer kasjer kasjer left review comments

@hathach hathach hathach approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@szymonh @hathach @kasjer