Fix buffer overflow

[Defonceuse]

In case the descriptor contains more endpoints than USBH_MAX_NUM_ENDPOINTS the Ep_Desc array and subsequent members of USBH_HandleTypeDef that contains function pointers are overwritten allowing arbitrary code execution.

IMPORTANT INFORMATION

Contributor License Agreement (CLA)

• The Pull Request feature will be considered by STMicroelectronics after the signature of a Contributor License Agreement (CLA) by the submitter.
• If you did not sign such agreement, please follow the steps mentioned in the CONTRIBUTING.md file.

[ALABSTM]

Hi @Defonceuse,

Thank you for this fix proposal. The point will be forwarded to our development teams. I will get back to you as soon as I have their feedback.

May I ask you whether you noticed the point just by reviewing the code or whether you actually experienced a failure due to this implementation? Thank you in advance for your reply.

With regards,

[ncsc-ch-vuln-mgmt]

Hi @ALABSTM , At the Swiss NCSC (National Cybersecurity Center), we have been contacted by the original reporter in January 2022 to assign a CVE number for this issue.

We were unable to get a security contact at your company via other channels, please contact us at vulnerability@ncsc.ch so we can discuss this case.

[ALABSTM]

Hi @ncsc-ch-vuln-mgmt,

Your request has been forwarded internally. I will get back to you as soon as I have an answer.

With regards,

[Defonceuse]

Hi @ALABSTM,

Sorry for the delay, I overlooked your question.

May I ask you whether you noticed the point just by reviewing the code or whether you actually experienced a failure due to this implementation? Thank you in advance for your reply.

I became aware of the problem when I connected a USB Mass Storage device that has more than USBH_MAX_NUM_ENDPOINTS and an exception handler was immediately triggered.

I did not review the code as it was treated as third party code. Had it been reviewed the vulnerability would likely become obvious when checking for the coding rule that array indexes must be range-checked before use in case it is received from an external/untrusted source.

Kind regards,

[Defonceuse]

It was missed to merge this important vulnerability fix into recent releases. Please confirm to merge into the upcoming release.

[ncsc-ch-vuln-mgmt]

Hi, As this vulnerability has been open and publicly documented for a while,and since we did not get feedback from the vendor we have issued a CVE at the finders request CVE-2021-42553 https://www.cve.org/CVERecord?id=CVE-2021-42553

[CHAMSTM]

Release v3.5.1 addresses CVE-2021-42553

[ALABSTM]

Hi @Defonceuse,

Really sorry for this delay. Your pull-request has just been merged. Thank you very much for your contribution. Looking forward to receiving other ones.

With regards,

[ALABSTM]

Hi @ncsc-ch-vuln-mgmt,

Really sorry for this delay too. Thank you very much for the notification about the CVE identifier creation.

A SECURITY.md file (like this one) will be uploaded into this repository that will provide users with the contact info in case they have detected any vulnerability related to security aspects.

With regards,