Buffer overrun in USB_WritePacket if length not multiple of 4

STMicroelectronics / STM32CubeF4

STM32Cube MCU Full Package for the STM32F4 series - (HAL + LL Drivers, CMSIS Core, CMSIS Device, MW libraries plus a set of Projects running on all boards provided by ST (Nucleo, Evaluation and Discovery Kits))

Other

908 stars 425 forks source link

Buffer overrun in USB_WritePacket if length not multiple of 4 #54

Closed jrahlf closed 3 years ago

jrahlf commented 3 years ago

If the input length is not a multiple of 4, the function overruns the buffer by 3, 2 or 1 byte. This could trigger an exception (HardFault/BusFault), e.g. if one passes a buffer pointing to the last byte in RAM and length=1.

https://github.com/STMicroelectronics/STM32CubeF4/blob/b95577991ef8891c62c41e0845903e182cdf60d3/Drivers/STM32F4xx_HAL_Driver/Src/stm32f4xx_ll_usb.c#L965

Other devices are possible affected as well.

ALABSTM commented 3 years ago

Hi @jrahlf,

Thank you for having reported. Our development teams said the case you described is relevant, although very odd. They also said such an aspect is not intended to be handled at driver's level, rather at user application one. Hence, it is up to the user when designing their applications to ensure such a case does not happen.

Thank you again for your report and thank you for your comprehension.

With regards,

ALABSTM commented 3 years ago

Hi @jrahlf,

Please allow me to close this issue. Thank you again for your comprehension.

With regards,

bmcdonnell-fb commented 3 years ago

@ALABSTM it would be better to document the behavior in the function-level comments, that the function rounds up if necessary to the next multiple of 4 bytes.