search

STMicroelectronics / STM32CubeH7

STM32Cube MCU Full Package for the STM32H7 series - (HAL + LL Drivers, CMSIS Core, CMSIS Device, MW libraries plus a set of Projects running on all boards provided by ST (Nucleo, Evaluation and Discovery Kits))
https://www.st.com/en/embedded-software/stm32cubeh7.html
Other
479 stars 298 forks source link

USB_Host driver: potential buffer overflow when parsing configuration descriptor #262

Closed shijiameng closed 1 year ago

shijiameng commented 1 year ago

Describe the set-up

Describe the bug

In source file usblctreq.c, the function USBH_ParseCfgDesc is responsible for parsing the configuration description of USB device. At line 507, the number of endpoint descriptors to be parsed depends on bNumEndpoints field as shown in line 485 and each endpoint is indexed by ep_ix. However, the driver assumes that the maximum number of endpoints per interface is 2 (defined by macro USBH_MAX_NUM_ENDPOINTS). Therefore, a buffer overflow on array Ep_Desc would arise at line 507 if a malicious USB device responds more than USBH_MAX_NUM_ENDPOINTS (2) endpoint descriptors (i.e., bNumEndpoints >= USBH_MAX_NUM_ENDPOINTS).

shijiameng commented 1 year ago

I found this issue has been revised (CVE-2021-42553). Close it

ALABSTM commented 1 year ago

Hi @shijiameng,

Thank you for your report. The issue you pointed out has been fixed in the frame of version 3.5.1 of our USB Host library, available here.

Currently, the STM32CubeH7 firmware still integrates version 3.5.0 of this library. However, you can easily download the newer version and integrate it manually into your package.

With regards,