Embedded/usbx
1
0
Fork 0
mirror of https://github.com/azure-rtos/usbx.git synced 2025-01-14 06:43:05 +08:00
Code Issues Projects Releases Wiki Activity

Merge pull request #161 from xiaocq2001/chxiao/msrc_84686_add_length_check_in_h_pima_stor_inf_g

Browse Source 
Fixed unicode string copy issue in host pima storage info get.
This commit is contained in:
Stefan Wick 2024-04-08 07:03:21 -07:00 committed by GitHub
commit 331a6694ab
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 3845 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
common/usbx_host_classes/src/ux_host_class_pima_storage_info_get.c
View File

@ -34,7 +34,7 @@
/* FUNCTION RELEASE */ /* FUNCTION RELEASE */
/* */ /* */
/* _ux_host_class_pima_storage_info_get PORTABLE C */ /* _ux_host_class_pima_storage_info_get PORTABLE C */
/* 6.3.0 */ /* 6.x */
/* AUTHOR */ /* AUTHOR */
/* */ /* */
/* Chaoqiong Xiao, Microsoft Corporation */ /* Chaoqiong Xiao, Microsoft Corporation */
@ -77,6 +77,9 @@
/* resulting in version 6.1 */ /* resulting in version 6.1 */
/* 10-31-2023 Yajun xia Modified comment(s), */ /* 10-31-2023 Yajun xia Modified comment(s), */
/* resulting in version 6.3.0 */ /* resulting in version 6.3.0 */
/* xx-xx-xxxx Chaoqiong Xiao Modified comment(s), */
/* fixed unicode string copy, */
/* resulting in version 6.x */
/* */ /* */
/**************************************************************************/ /**************************************************************************/
UINT _ux_host_class_pima_storage_info_get(UX_HOST_CLASS_PIMA *pima, UINT _ux_host_class_pima_storage_info_get(UX_HOST_CLASS_PIMA *pima,
@ -88,7 +91,7 @@ UX_HOST_CLASS_PIMA_COMMAND command;
UINT status; UINT status;
UCHAR *storage_buffer; UCHAR *storage_buffer;
UCHAR *storage_pointer; UCHAR *storage_pointer;
ULONG unicode_string_length; ULONG unicode_string_length, unicode_string_bytes;
/* If trace is enabled, insert this event into the trace buffer. */ /* If trace is enabled, insert this event into the trace buffer. */
UX_TRACE_IN_LINE_INSERT(UX_TRACE_HOST_CLASS_PIMA_STORAGE_INFO_GET, pima, storage_id, storage, 0, UX_TRACE_HOST_CLASS_EVENTS, 0, 0) UX_TRACE_IN_LINE_INSERT(UX_TRACE_HOST_CLASS_PIMA_STORAGE_INFO_GET, pima, storage_id, storage, 0, UX_TRACE_HOST_CLASS_EVENTS, 0, 0)
@ -140,17 +143,43 @@ ULONG unicode_string_length;
/* Get the unicode string length. */ /* Get the unicode string length. */
unicode_string_length = (ULONG) *storage_pointer ; unicode_string_length = (ULONG) *storage_pointer ;
/* unicode_string_length is a byte so
unicode_string_length * 2 + 1 will not overflow. */
unicode_string_bytes = (unicode_string_length << 1) + 1;
/* Check target buffer length. */
if (unicode_string_bytes > UX_HOST_CLASS_PIMA_UNICODE_MAX_LENGTH)
{
_ux_utility_memory_free(storage_buffer);
return(UX_BUFFER_OVERFLOW);
}
/* Copy that string into the storage description field. */ /* Copy that string into the storage description field. */
_ux_utility_memory_copy(storage -> ux_host_class_pima_storage_description, storage_pointer, unicode_string_length); /* Use case of memcpy is verified. */ _ux_utility_memory_copy(storage -> ux_host_class_pima_storage_description,
storage_pointer,
unicode_string_bytes); /* Use case of memcpy is verified. */
/* Point to the volume label. */ /* Point to the volume label. */
storage_pointer = storage_buffer + UX_HOST_CLASS_PIMA_STORAGE_VARIABLE_OFFSET + unicode_string_length; storage_pointer = storage_buffer + UX_HOST_CLASS_PIMA_STORAGE_VARIABLE_OFFSET + unicode_string_bytes;
/* Get the unicode string length. */ /* Get the unicode string length. */
unicode_string_length = (ULONG) *storage_pointer ; unicode_string_length = (ULONG) *storage_pointer ;
/* unicode_string_length is a byte so
unicode_string_length * 2 + 1 will not overflow. */
unicode_string_bytes = (unicode_string_length << 1) + 1;
/* Check target buffer length. */
if (unicode_string_bytes > UX_HOST_CLASS_PIMA_UNICODE_MAX_LENGTH)
{
_ux_utility_memory_free(storage_buffer);
return(UX_BUFFER_OVERFLOW);
}
/* Copy that string into the storage volume label field. */ /* Copy that string into the storage volume label field. */
_ux_utility_memory_copy(storage -> ux_host_class_pima_storage_volume_label, storage_pointer, unicode_string_length); /* Use case of memcpy is verified. */ _ux_utility_memory_copy(storage -> ux_host_class_pima_storage_volume_label,
storage_pointer,
unicode_string_bytes); /* Use case of memcpy is verified. */
} }

3811
test/regression/usbx_msrc_84686_host_pima_storage_info_get_test.c Normal file
View File

File diff suppressed because it is too large Load Diff