From 19b6baa45521a221c4d0a6a2cf6d9e210551bf73 Mon Sep 17 00:00:00 2001 From: Ritvik Date: Thu, 9 Jan 2025 15:40:21 -0500 Subject: [PATCH 1/3] Fix potential out of bounds access in msc_disk.c --- examples/device/cdc_msc_freertos/src/msc_disk.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/device/cdc_msc_freertos/src/msc_disk.c b/examples/device/cdc_msc_freertos/src/msc_disk.c index d2f8628f13..f48d976f23 100644 --- a/examples/device/cdc_msc_freertos/src/msc_disk.c +++ b/examples/device/cdc_msc_freertos/src/msc_disk.c @@ -191,7 +191,9 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff // out of ramdisk if ( lba >= DISK_BLOCK_NUM ) return -1; - + // Check for overflow of offset + bufsize + if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1; + uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize); From bd0875358347b5c062bab897f2fcfe28de5a13d3 Mon Sep 17 00:00:00 2001 From: HiFiPhile Date: Wed, 22 Jan 2025 21:22:32 +0100 Subject: [PATCH 2/3] Fix CI. --- examples/device/cdc_msc_freertos/src/msc_disk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/device/cdc_msc_freertos/src/msc_disk.c b/examples/device/cdc_msc_freertos/src/msc_disk.c index f48d976f23..e13c244364 100644 --- a/examples/device/cdc_msc_freertos/src/msc_disk.c +++ b/examples/device/cdc_msc_freertos/src/msc_disk.c @@ -193,7 +193,7 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff if ( lba >= DISK_BLOCK_NUM ) return -1; // Check for overflow of offset + bufsize if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1; - + uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize); From 19d28a9d15569765b7686380920f660fcd6ceeaf Mon Sep 17 00:00:00 2001 From: HiFiPhile Date: Wed, 22 Jan 2025 21:24:14 +0100 Subject: [PATCH 3/3] Fix also cdc_msc example. --- examples/device/cdc_msc/src/msc_disk.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/device/cdc_msc/src/msc_disk.c b/examples/device/cdc_msc/src/msc_disk.c index d2f8628f13..c1132bbfcb 100644 --- a/examples/device/cdc_msc/src/msc_disk.c +++ b/examples/device/cdc_msc/src/msc_disk.c @@ -192,6 +192,9 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff // out of ramdisk if ( lba >= DISK_BLOCK_NUM ) return -1; + // Check for overflow of offset + bufsize + if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1; + uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize);