Skip to content

Commit 52d25b5

Browse files
fdesbiensfdesbiens
authored
Merge commit from fork
Add bounds check for HID report item parsing
2 parents a528582 + 0b246ac commit 52d25b5

File tree

1 file changed

+62
-42
lines changed

1 file changed

+62
-42
lines changed

common/usbx_host_classes/src/ux_host_class_hid_report_descriptor_get.c

Lines changed: 62 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,8 @@
1111

1212
/**************************************************************************/
1313
/**************************************************************************/
14-
/** */
15-
/** USBX Component */
14+
/** */
15+
/** USBX Component */
1616
/** */
1717
/** HID Class */
1818
/** */
@@ -29,47 +29,47 @@
2929
#include "ux_host_stack.h"
3030

3131

32-
/**************************************************************************/
33-
/* */
34-
/* FUNCTION RELEASE */
35-
/* */
36-
/* _ux_host_class_hid_report_descriptor_get PORTABLE C */
32+
/**************************************************************************/
33+
/* */
34+
/* FUNCTION RELEASE */
35+
/* */
36+
/* _ux_host_class_hid_report_descriptor_get PORTABLE C */
3737
/* 6.1 */
3838
/* AUTHOR */
3939
/* */
4040
/* Chaoqiong Xiao, Microsoft Corporation */
4141
/* */
4242
/* DESCRIPTION */
43-
/* */
44-
/* This function gets the report descriptor and analyzes it. */
45-
/* */
46-
/* INPUT */
47-
/* */
48-
/* hid Pointer to HID class */
49-
/* length Length of descriptor */
50-
/* */
51-
/* OUTPUT */
52-
/* */
53-
/* Completion Status */
54-
/* */
55-
/* CALLS */
56-
/* */
57-
/* _ux_host_class_hid_global_item_parse Parse global item */
58-
/* _ux_host_class_hid_local_item_parse Parse local item */
59-
/* _ux_host_class_hid_report_item_analyse Analyze report */
60-
/* _ux_host_class_hid_resources_free Free HID resources */
61-
/* _ux_host_stack_transfer_request Process transfer request */
62-
/* _ux_utility_memory_allocate Allocate memory block */
63-
/* _ux_utility_memory_free Release memory block */
64-
/* */
65-
/* CALLED BY */
66-
/* */
67-
/* HID Class */
68-
/* */
69-
/* RELEASE HISTORY */
70-
/* */
71-
/* DATE NAME DESCRIPTION */
72-
/* */
43+
/* */
44+
/* This function gets the report descriptor and analyzes it. */
45+
/* */
46+
/* INPUT */
47+
/* */
48+
/* hid Pointer to HID class */
49+
/* length Length of descriptor */
50+
/* */
51+
/* OUTPUT */
52+
/* */
53+
/* Completion Status */
54+
/* */
55+
/* CALLS */
56+
/* */
57+
/* _ux_host_class_hid_global_item_parse Parse global item */
58+
/* _ux_host_class_hid_local_item_parse Parse local item */
59+
/* _ux_host_class_hid_report_item_analyse Analyze report */
60+
/* _ux_host_class_hid_resources_free Free HID resources */
61+
/* _ux_host_stack_transfer_request Process transfer request */
62+
/* _ux_utility_memory_allocate Allocate memory block */
63+
/* _ux_utility_memory_free Release memory block */
64+
/* */
65+
/* CALLED BY */
66+
/* */
67+
/* HID Class */
68+
/* */
69+
/* RELEASE HISTORY */
70+
/* */
71+
/* DATE NAME DESCRIPTION */
72+
/* */
7373
/* 05-19-2020 Chaoqiong Xiao Initial Version 6.0 */
7474
/* 09-30-2020 Chaoqiong Xiao Modified comment(s), */
7575
/* resulting in version 6.1 */
@@ -117,6 +117,20 @@ UINT status;
117117
while (length)
118118
{
119119

120+
/* Make sure this descriptor has at least the minimum length. */
121+
if(length < 3)
122+
{
123+
124+
/* Error trap. */
125+
_ux_system_error_handler(UX_SYSTEM_LEVEL_THREAD, UX_SYSTEM_CONTEXT_CLASS, UX_DESCRIPTOR_CORRUPTED);
126+
127+
/* If trace is enabled, insert this event into the trace buffer. */
128+
UX_TRACE_IN_LINE_INSERT(UX_TRACE_ERROR, UX_DESCRIPTOR_CORRUPTED, descriptor, 0, 0, UX_TRACE_ERRORS, 0, 0)
129+
130+
/* Return error status. */
131+
status = (UX_DESCRIPTOR_CORRUPTED);
132+
}
133+
120134
/* Get one item from the report and analyze it. */
121135
_ux_host_class_hid_report_item_analyse(descriptor, &item);
122136

@@ -133,7 +147,7 @@ UINT status;
133147
status = _ux_host_class_hid_global_item_parse(hid, &item, descriptor);
134148
break;
135149

136-
150+
137151
case UX_HOST_CLASS_HID_TYPE_MAIN:
138152

139153
/* This is a main item. */
@@ -145,13 +159,13 @@ UINT status;
145159

146160
/* This is a local item. */
147161
status = _ux_host_class_hid_local_item_parse(hid, &item, descriptor);
148-
break;
162+
break;
149163

150164
default:
151165

152166
/* This is a reserved item, meaning it shouldn't be used! */
153167

154-
/* Set status to error. The check after this switch statement
168+
/* Set status to error. The check after this switch statement
155169
will handle the rest. */
156170
status = UX_DESCRIPTOR_CORRUPTED;
157171
break;
@@ -165,11 +179,17 @@ UINT status;
165179

166180
/* Jump to the next item. */
167181
descriptor += item.ux_host_class_hid_item_report_length;
168-
182+
169183
/* Verify that the report descriptor is not corrupted. */
170-
if (length < item.ux_host_class_hid_item_report_length)
184+
if (length < (item.ux_host_class_hid_item_report_length + item.ux_host_class_hid_item_report_format))
171185
{
172186

187+
/* Error trap. */
188+
_ux_system_error_handler(UX_SYSTEM_LEVEL_THREAD, UX_SYSTEM_CONTEXT_CLASS, UX_DESCRIPTOR_CORRUPTED);
189+
190+
/* If trace is enabled, insert this event into the trace buffer. */
191+
UX_TRACE_IN_LINE_INSERT(UX_TRACE_ERROR, UX_DESCRIPTOR_CORRUPTED, descriptor, 0, 0, UX_TRACE_ERRORS, 0, 0)
192+
173193
/* Return error status. */
174194
status = (UX_DESCRIPTOR_CORRUPTED);
175195
break;

0 commit comments

Comments
 (0)