From 0a1b5f49da3146294d2a63492b7fdce35cf78103 Mon Sep 17 00:00:00 2001 From: Markus Rathgeb Date: Fri, 4 Nov 2022 08:20:51 +0100 Subject: [PATCH] prevent memory corruption An USB device that provides more endpoints then the defined maximum supported ones of the code base this will lead to a memory corruption. The code does not check if it runs over the maximum defined endpoints and write to the memory behind of it. For the number of interfaces the check if the maximum is already reached is present, for the endpoints it is missing. Signed-off-by: Markus Rathgeb --- Middlewares/ST/STM32_USB_Host_Library/Core/Src/usbh_ctlreq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Middlewares/ST/STM32_USB_Host_Library/Core/Src/usbh_ctlreq.c b/Middlewares/ST/STM32_USB_Host_Library/Core/Src/usbh_ctlreq.c index b638b504da..0348b13b0d 100644 --- a/Middlewares/ST/STM32_USB_Host_Library/Core/Src/usbh_ctlreq.c +++ b/Middlewares/ST/STM32_USB_Host_Library/Core/Src/usbh_ctlreq.c @@ -450,7 +450,7 @@ static USBH_StatusTypeDef USBH_ParseCfgDesc(USBH_HandleTypeDef *phost, uint8_t * ep_ix = 0U; pep = (USBH_EpDescTypeDef *)NULL; - while ((ep_ix < pif->bNumEndpoints) && (ptr < cfg_desc->wTotalLength)) + while ((ep_ix < USBH_MAX_NUM_ENDPOINTS) && (ep_ix < pif->bNumEndpoints) && (ptr < cfg_desc->wTotalLength)) { pdesc = USBH_GetNextDesc((uint8_t *)(void *)pdesc, &ptr);