From 19b6baa45521a221c4d0a6a2cf6d9e210551bf73 Mon Sep 17 00:00:00 2001 From: Ritvik Date: Thu, 9 Jan 2025 15:40:21 -0500 Subject: [PATCH 1/5] Fix potential out of bounds access in msc_disk.c --- examples/device/cdc_msc_freertos/src/msc_disk.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/device/cdc_msc_freertos/src/msc_disk.c b/examples/device/cdc_msc_freertos/src/msc_disk.c index d2f8628f1..f48d976f2 100644 --- a/examples/device/cdc_msc_freertos/src/msc_disk.c +++ b/examples/device/cdc_msc_freertos/src/msc_disk.c @@ -191,7 +191,9 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff // out of ramdisk if ( lba >= DISK_BLOCK_NUM ) return -1; - + // Check for overflow of offset + bufsize + if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1; + uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize); From 6476ff12417be6df834333410f4fb2e64049fe7a Mon Sep 17 00:00:00 2001 From: Tomas Rezucha Date: Wed, 15 Jan 2025 19:16:58 +0100 Subject: [PATCH 2/5] fix(ncm): Return invalid NTBs to free list In case we received invalid datagram, we silently fail a the buffer was not returned to empty list -> it was lost. If this happened more than CFG_TUD_NCM_OUT_NTB_N times, we run out of NTBs and all OUT transfers are NACKed. Closes https://github.com/espressif/esp-usb/issues/107 --- src/class/net/ncm_device.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/class/net/ncm_device.c b/src/class/net/ncm_device.c index aac11a058..f9fda0698 100644 --- a/src/class/net/ncm_device.c +++ b/src/class/net/ncm_device.c @@ -857,7 +857,8 @@ bool netd_xfer_cb(uint8_t rhport, uint8_t ep_addr, xfer_result_t result, uint32_ // - if there is a free receive buffer, initiate reception if (!recv_validate_datagram(ncm_interface.recv_tinyusb_ntb, xferred_bytes)) { // verification failed: ignore NTB and return it to free - TU_LOG_DRV("(EE) VALIDATION FAILED. WHAT CAN WE DO IN THIS CASE?\n"); + TU_LOG_DRV("Invalid datatagram. Ignoring NTB\n"); + recv_put_ntb_into_free_list(ncm_interface.recv_tinyusb_ntb); } else { // packet ok -> put it into ready list recv_put_ntb_into_ready_list(ncm_interface.recv_tinyusb_ntb); From bd0875358347b5c062bab897f2fcfe28de5a13d3 Mon Sep 17 00:00:00 2001 From: HiFiPhile Date: Wed, 22 Jan 2025 21:22:32 +0100 Subject: [PATCH 3/5] Fix CI. --- examples/device/cdc_msc_freertos/src/msc_disk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/device/cdc_msc_freertos/src/msc_disk.c b/examples/device/cdc_msc_freertos/src/msc_disk.c index f48d976f2..e13c24436 100644 --- a/examples/device/cdc_msc_freertos/src/msc_disk.c +++ b/examples/device/cdc_msc_freertos/src/msc_disk.c @@ -193,7 +193,7 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff if ( lba >= DISK_BLOCK_NUM ) return -1; // Check for overflow of offset + bufsize if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1; - + uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize); From 19d28a9d15569765b7686380920f660fcd6ceeaf Mon Sep 17 00:00:00 2001 From: HiFiPhile Date: Wed, 22 Jan 2025 21:24:14 +0100 Subject: [PATCH 4/5] Fix also cdc_msc example. --- examples/device/cdc_msc/src/msc_disk.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/device/cdc_msc/src/msc_disk.c b/examples/device/cdc_msc/src/msc_disk.c index d2f8628f1..c1132bbfc 100644 --- a/examples/device/cdc_msc/src/msc_disk.c +++ b/examples/device/cdc_msc/src/msc_disk.c @@ -192,6 +192,9 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff // out of ramdisk if ( lba >= DISK_BLOCK_NUM ) return -1; + // Check for overflow of offset + bufsize + if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1; + uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize); From f6f02f189354bf3576372611145f670f29e0ba58 Mon Sep 17 00:00:00 2001 From: hathach Date: Sat, 25 Jan 2025 23:07:34 +0700 Subject: [PATCH 5/5] correct offset check logic --- examples/device/cdc_msc/src/msc_disk.c | 8 ++++++-- examples/device/cdc_msc_freertos/src/msc_disk.c | 9 +++++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/examples/device/cdc_msc/src/msc_disk.c b/examples/device/cdc_msc/src/msc_disk.c index c1132bbfc..d325d77fa 100644 --- a/examples/device/cdc_msc/src/msc_disk.c +++ b/examples/device/cdc_msc/src/msc_disk.c @@ -190,10 +190,14 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff (void) lun; // out of ramdisk - if ( lba >= DISK_BLOCK_NUM ) return -1; + if ( lba >= DISK_BLOCK_NUM ) { + return -1; + } // Check for overflow of offset + bufsize - if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1; + if ( offset + bufsize > DISK_BLOCK_SIZE ) { + return -1; + } uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize); diff --git a/examples/device/cdc_msc_freertos/src/msc_disk.c b/examples/device/cdc_msc_freertos/src/msc_disk.c index e13c24436..d325d77fa 100644 --- a/examples/device/cdc_msc_freertos/src/msc_disk.c +++ b/examples/device/cdc_msc_freertos/src/msc_disk.c @@ -190,9 +190,14 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff (void) lun; // out of ramdisk - if ( lba >= DISK_BLOCK_NUM ) return -1; + if ( lba >= DISK_BLOCK_NUM ) { + return -1; + } + // Check for overflow of offset + bufsize - if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1; + if ( offset + bufsize > DISK_BLOCK_SIZE ) { + return -1; + } uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize);