Dear developer!
When I was auditing the code, I found problems with potential spillover risks. In function usbd_event_ep0_setup_complete_handler, if the length of setup->wLength is too long and setup->bmRequestType is USB_REQUEST_DIR_IN, the following if judgment may be invalid.
if (setup->wLength > CONFIG_USBDEV_REQUEST_BUFFER_LEN) {
if ((setup->bmRequestType & USB_REQUEST_DIR_MASK) == USB_REQUEST_DIR_OUT) {
USB_LOG_ERR("Request buffer too small\r\n");
usbd_ep_set_stall(busid, USB_CONTROL_IN_EP0);
return;
}
}
setup->wLength may also affect the following variables, because g_usbd_core is a global structure, and there may be the risk of overflow in the future.
Dear developer! When I was auditing the code, I found problems with potential spillover risks. In function
usbd_event_ep0_setup_complete_handler
, if the length ofsetup->wLength
is too long andsetup->bmRequestType
isUSB_REQUEST_DIR_IN
, the following if judgment may be invalid.setup->wLength
may also affect the following variables, becauseg_usbd_core
is a global structure, and there may be the risk of overflow in the future.I think the judgment logic here should be rewritten to ensure that the subsequent
g_usbd_core
global structure is safer.