Skip to content

Commit

Permalink
Merge pull request #2939 from PwnVerse/patch-1
Browse files Browse the repository at this point in the history 
Fix potential out of bounds access in msc_disk.c
  • Loading branch information
@HiFiPhile
HiFiPhile authored Jan 22, 2025
2 parents feb41ee + 19d28a9 commit 597446f
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 0 deletions.
3 changes: 3 additions & 0 deletions examples/device/cdc_msc/src/msc_disk.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,9 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff
// out of ramdisk
if ( lba >= DISK_BLOCK_NUM ) return -1;

// Check for overflow of offset + bufsize
if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1;

uint8_t const* addr = msc_disk[lba] + offset;
memcpy(buffer, addr, bufsize);

Expand Down
2 changes: 2 additions & 0 deletions examples/device/cdc_msc_freertos/src/msc_disk.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,8 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff

// out of ramdisk
if ( lba >= DISK_BLOCK_NUM ) return -1;
// Check for overflow of offset + bufsize
if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1;

uint8_t const* addr = msc_disk[lba] + offset;
memcpy(buffer, addr, bufsize);
Expand Down

0 comments on commit 597446f

Please sign in to comment.