From 59af2be74f3d4397704c5958c83bb7fc2af6d540 Mon Sep 17 00:00:00 2001 From: Daniel Gibson Date: Tue, 12 Jan 2021 01:42:48 +0100 Subject: [PATCH] HIDUniversal, HIDComposite: Don't overflow hidInterfaces[] or epInfo[] If a connected device has more than 3 (maxHidInterfaces) HID interfaces, which is not unusual with modern keyboards, EndpointXtract() wrote beyond the hidInterfaces[] array and corrupted bHasReportId, PID + VID. The same could happen with the epInfo[] array. Now this is fixed by checking bNumIface/bNMumEP before adding new elements to those arrays. --- hidcomposite.cpp | 4 +++- hiduniversal.cpp | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/hidcomposite.cpp b/hidcomposite.cpp index 3f0a21c2..62cc9d0a 100644 --- a/hidcomposite.cpp +++ b/hidcomposite.cpp @@ -306,6 +306,8 @@ void HIDComposite::EndpointXtract(uint8_t conf, uint8_t iface, uint8_t alt, uint // Fill in interface structure in case of new interface if(!piface) { + if(bNumIface >= maxHidInterfaces) + return; // don't overflow hidInterfaces[] piface = hidInterfaces + bNumIface; piface->bmInterface = iface; piface->bmAltSet = alt; @@ -319,7 +321,7 @@ void HIDComposite::EndpointXtract(uint8_t conf, uint8_t iface, uint8_t alt, uint if(!SelectInterface(iface, proto)) index = 0; - if(index) { + if(index && bNumEP < totalEndpoints) { // Fill in the endpoint info structure epInfo[bNumEP].epAddr = (pep->bEndpointAddress & 0x0F); epInfo[bNumEP].maxPktSize = (uint8_t)pep->wMaxPacketSize; diff --git a/hiduniversal.cpp b/hiduniversal.cpp index 49309df4..4ced3b14 100644 --- a/hiduniversal.cpp +++ b/hiduniversal.cpp @@ -308,6 +308,8 @@ void HIDUniversal::EndpointXtract(uint8_t conf, uint8_t iface, uint8_t alt, uint // Fill in interface structure in case of new interface if(!piface) { + if(bNumIface >= maxHidInterfaces) + return; // don't overflow hidInterfaces[] piface = hidInterfaces + bNumIface; piface->bmInterface = iface; piface->bmAltSet = alt; @@ -318,7 +320,7 @@ void HIDUniversal::EndpointXtract(uint8_t conf, uint8_t iface, uint8_t alt, uint if((pep->bmAttributes & bmUSB_TRANSFER_TYPE) == USB_TRANSFER_TYPE_INTERRUPT) index = (pep->bEndpointAddress & 0x80) == 0x80 ? epInterruptInIndex : epInterruptOutIndex; - if(index) { + if(index && bNumEP < totalEndpoints) { // Fill in the endpoint info structure epInfo[bNumEP].epAddr = (pep->bEndpointAddress & 0x0F); epInfo[bNumEP].maxPktSize = (uint8_t)pep->wMaxPacketSize;