Closed shijiameng closed 1 year ago
I found this issue has been revised (CVE-2021-42553). Close it
Hi @shijiameng,
Thank you for your report. The issue you pointed out has been fixed in the frame of version 3.5.1 of our USB Host library, available here.
Currently, the STM32CubeH7 firmware still integrates version 3.5.0 of this library. However, you can easily download the newer version and integrate it manually into your package.
With regards,
Describe the set-up
Describe the bug
In source file usblctreq.c, the function
USBH_ParseCfgDesc
is responsible for parsing the configuration description of USB device. At line 507, the number of endpoint descriptors to be parsed depends onbNumEndpoints
field as shown in line 485 and each endpoint is indexed byep_ix
. However, the driver assumes that the maximum number of endpoints per interface is 2 (defined by macroUSBH_MAX_NUM_ENDPOINTS
). Therefore, a buffer overflow on arrayEp_Desc
would arise at line 507 if a malicious USB device responds more thanUSBH_MAX_NUM_ENDPOINTS
(2) endpoint descriptors (i.e.,bNumEndpoints
>=USBH_MAX_NUM_ENDPOINTS
).