specchioriflesso/USB_Host_Shield_2.0
1
Fork 0
mirror of https://github.com/felis/USB_Host_Shield_2.0.git synced 2024-03-22 11:31:26 +01:00
Code Issues Projects Releases Packages Wiki Activity

HIDUniversal, HIDComposite: Don't overflow hidInterfaces[] or epInfo[]

Browse source 
If a connected device has more than 3 (maxHidInterfaces) HID interfaces,
which is not unusual with modern keyboards, EndpointXtract() wrote
beyond the hidInterfaces[] array and corrupted bHasReportId, PID + VID.

The same could happen with the epInfo[] array.
Now this is fixed by checking bNumIface/bNMumEP before adding new
elements to those arrays.
This commit is contained in:
Daniel Gibson 2021-01-12 01:42:48 +01:00
parent 757f428234
commit 59af2be74f
2 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
hidcomposite.cpp
View file

@ -306,6 +306,8 @@ void HIDComposite::EndpointXtract(uint8_t conf, uint8_t iface, uint8_t alt, uint
// Fill in interface structure in case of new interface
if(!piface) {
if(bNumIface >= maxHidInterfaces)
return; // don't overflow hidInterfaces[]
piface = hidInterfaces + bNumIface;
piface->bmInterface = iface;
piface->bmAltSet = alt;
@ -319,7 +321,7 @@ void HIDComposite::EndpointXtract(uint8_t conf, uint8_t iface, uint8_t alt, uint
if(!SelectInterface(iface, proto))
index = 0;
if(index) {
if(index && bNumEP < totalEndpoints) {
// Fill in the endpoint info structure
epInfo[bNumEP].epAddr = (pep->bEndpointAddress & 0x0F);
epInfo[bNumEP].maxPktSize = (uint8_t)pep->wMaxPacketSize;

4
hiduniversal.cpp
View file

@ -308,6 +308,8 @@ void HIDUniversal::EndpointXtract(uint8_t conf, uint8_t iface, uint8_t alt, uint
// Fill in interface structure in case of new interface
if(!piface) {
if(bNumIface >= maxHidInterfaces)
return; // don't overflow hidInterfaces[]
piface = hidInterfaces + bNumIface;
piface->bmInterface = iface;
piface->bmAltSet = alt;
@ -318,7 +320,7 @@ void HIDUniversal::EndpointXtract(uint8_t conf, uint8_t iface, uint8_t alt, uint
if((pep->bmAttributes & bmUSB_TRANSFER_TYPE) == USB_TRANSFER_TYPE_INTERRUPT)
index = (pep->bEndpointAddress & 0x80) == 0x80 ? epInterruptInIndex : epInterruptOutIndex;
if(index) {
if(index && bNumEP < totalEndpoints) {
// Fill in the endpoint info structure
epInfo[bNumEP].epAddr = (pep->bEndpointAddress & 0x0F);
epInfo[bNumEP].maxPktSize = (uint8_t)pep->wMaxPacketSize;