Buffer overflow in ux_device_class_cdc_acm_read

eclipse-threadx / usbx

Eclipse ThreadX - USBX is a high-performance USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Eclipse ThreadX RTOS

https://github.com/eclipse-threadx/rtos-docs/blob/main/rtos-docs/usbx/index.md

MIT License

148 stars 88 forks source link

Buffer overflow in ux_device_class_cdc_acm_read #66

Closed KabaTrinker closed 2 years ago

KabaTrinker commented 2 years ago

I do an call to ux_device_class_cdc_acm_read with an buffer with size 150 and a requested_length=150 for example. If I send now 160 byte, the function returns with actual_length=160 and my buffer was filled with 160 bytes, so I've an overflow. Is this behavior correct?

xiaocq2001 commented 2 years ago

Yes. You may overflow. It seems in DCD transfer implement, the actual transferred size is directly reported without checking if received number of bytes exceeds requested.

For reading, it's recommended to offer full packet buffer (n 64 for FS and n 512 for HS), since USB data is transferred packet by packet, and short packet (data less than a full packet) terminates the transfer.

KabaTrinker commented 2 years ago

Ok, if I use a buffer size of n * packet size then I've no buffer overflow. Thank you for your fast response.