From 19b6baa45521a221c4d0a6a2cf6d9e210551bf73 Mon Sep 17 00:00:00 2001 From: Ritvik Date: Thu, 9 Jan 2025 15:40:21 -0500 Subject: [PATCH 1/4] Fix potential out of bounds access in msc_disk.c --- examples/device/cdc_msc_freertos/src/msc_disk.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/device/cdc_msc_freertos/src/msc_disk.c b/examples/device/cdc_msc_freertos/src/msc_disk.c index d2f8628f1..f48d976f2 100644 --- a/examples/device/cdc_msc_freertos/src/msc_disk.c +++ b/examples/device/cdc_msc_freertos/src/msc_disk.c @@ -191,7 +191,9 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff // out of ramdisk if ( lba >= DISK_BLOCK_NUM ) return -1; - + // Check for overflow of offset + bufsize + if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1; + uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize); From bd0875358347b5c062bab897f2fcfe28de5a13d3 Mon Sep 17 00:00:00 2001 From: HiFiPhile Date: Wed, 22 Jan 2025 21:22:32 +0100 Subject: [PATCH 2/4] Fix CI. --- examples/device/cdc_msc_freertos/src/msc_disk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/device/cdc_msc_freertos/src/msc_disk.c b/examples/device/cdc_msc_freertos/src/msc_disk.c index f48d976f2..e13c24436 100644 --- a/examples/device/cdc_msc_freertos/src/msc_disk.c +++ b/examples/device/cdc_msc_freertos/src/msc_disk.c @@ -193,7 +193,7 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff if ( lba >= DISK_BLOCK_NUM ) return -1; // Check for overflow of offset + bufsize if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1; - + uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize); From 19d28a9d15569765b7686380920f660fcd6ceeaf Mon Sep 17 00:00:00 2001 From: HiFiPhile Date: Wed, 22 Jan 2025 21:24:14 +0100 Subject: [PATCH 3/4] Fix also cdc_msc example. --- examples/device/cdc_msc/src/msc_disk.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/device/cdc_msc/src/msc_disk.c b/examples/device/cdc_msc/src/msc_disk.c index d2f8628f1..c1132bbfc 100644 --- a/examples/device/cdc_msc/src/msc_disk.c +++ b/examples/device/cdc_msc/src/msc_disk.c @@ -192,6 +192,9 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff // out of ramdisk if ( lba >= DISK_BLOCK_NUM ) return -1; + // Check for overflow of offset + bufsize + if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1; + uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize); From f6f02f189354bf3576372611145f670f29e0ba58 Mon Sep 17 00:00:00 2001 From: hathach Date: Sat, 25 Jan 2025 23:07:34 +0700 Subject: [PATCH 4/4] correct offset check logic --- examples/device/cdc_msc/src/msc_disk.c | 8 ++++++-- examples/device/cdc_msc_freertos/src/msc_disk.c | 9 +++++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/examples/device/cdc_msc/src/msc_disk.c b/examples/device/cdc_msc/src/msc_disk.c index c1132bbfc..d325d77fa 100644 --- a/examples/device/cdc_msc/src/msc_disk.c +++ b/examples/device/cdc_msc/src/msc_disk.c @@ -190,10 +190,14 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff (void) lun; // out of ramdisk - if ( lba >= DISK_BLOCK_NUM ) return -1; + if ( lba >= DISK_BLOCK_NUM ) { + return -1; + } // Check for overflow of offset + bufsize - if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1; + if ( offset + bufsize > DISK_BLOCK_SIZE ) { + return -1; + } uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize); diff --git a/examples/device/cdc_msc_freertos/src/msc_disk.c b/examples/device/cdc_msc_freertos/src/msc_disk.c index e13c24436..d325d77fa 100644 --- a/examples/device/cdc_msc_freertos/src/msc_disk.c +++ b/examples/device/cdc_msc_freertos/src/msc_disk.c @@ -190,9 +190,14 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff (void) lun; // out of ramdisk - if ( lba >= DISK_BLOCK_NUM ) return -1; + if ( lba >= DISK_BLOCK_NUM ) { + return -1; + } + // Check for overflow of offset + bufsize - if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1; + if ( offset + bufsize > DISK_BLOCK_SIZE ) { + return -1; + } uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize);