Merge pull request #17203 from bergzand/pr/usbus/check_setup_length

usbus: check received setup request data amount
2024-12-29 04:50:03 +01:00 · 2021-11-17 08:59:07 +01:00 · 2021-11-17 08:59:07 +01:00 · 74cdb11bd1
commit 74cdb11bd1
parent 83c2f2d367 4573d5f9dc
2 changed files with 21 additions and 13 deletions
--- a/sys/usb/usbus/cdc/acm/cdc_acm.c
+++ b/sys/usb/usbus/cdc/acm/cdc_acm.c
@ -264,8 +264,10 @@ static int _control_handler(usbus_t *usbus, usbus_handler_t *handler,
                DEBUG("CDCACM: line coding not supported\n");
                return -1;
            }
-            if ((state == USBUS_CONTROL_REQUEST_STATE_OUTDATA) &&
-                    (setup->length == sizeof(usb_req_cdcacm_coding_t))) {
+            if (setup->length != sizeof(usb_req_cdcacm_coding_t)) {
+                return -1; /* Incorrect amount of data expected */
+            }
+            if (state == USBUS_CONTROL_REQUEST_STATE_OUTDATA) {
                size_t len = 0;
                usb_req_cdcacm_coding_t *coding =
                    (usb_req_cdcacm_coding_t*)usbus_control_get_out_data(usbus,
--- a/sys/usb/usbus/usbus_control.c
+++ b/sys/usb/usbus/usbus_control.c
@ -257,18 +257,24 @@ static void _recv_setup(usbus_t *usbus, usbus_control_handler_t *handler)

    DEBUG("usbus_control: Received setup %x %x @ %d\n", pkt->type,
          pkt->request, pkt->length);
-
-    uint8_t destination = pkt->type & USB_SETUP_REQUEST_RECIPIENT_MASK;
    int res = 0;
-    switch (destination) {
-        case USB_SETUP_REQUEST_RECIPIENT_DEVICE:
-            res = _recv_dev_setup(usbus, pkt);
-            break;
-        case USB_SETUP_REQUEST_RECIPIENT_INTERFACE:
-            res = _recv_interface_setup(usbus, pkt);
-            break;
-        default:
-            DEBUG("usbus_control: Unhandled setup request\n");
+
+    /* If write and length is more than expected */
+    if (!(usb_setup_is_read(pkt)) && (handler->received_len > pkt->length)) {
+       res = -1; /* Stall */
+    }
+    else {
+        uint8_t destination = pkt->type & USB_SETUP_REQUEST_RECIPIENT_MASK;
+        switch (destination) {
+            case USB_SETUP_REQUEST_RECIPIENT_DEVICE:
+                res = _recv_dev_setup(usbus, pkt);
+                break;
+            case USB_SETUP_REQUEST_RECIPIENT_INTERFACE:
+                res = _recv_interface_setup(usbus, pkt);
+                break;
+            default:
+                DEBUG("usbus_control: Unhandled setup request\n");
+        }
    }
    if (res < 0) {
        /* Signal stall to indicate unsupported (USB 2.0 spec 9.6.2 */