Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Replace device calls to memcpy with tu_memcpy_s #1852

Merged
merged 2 commits into from
Feb 27, 2023
Merged

fix: Replace device calls to memcpy with tu_memcpy_s #1852

merged 2 commits into from
Feb 27, 2023

Conversation

nathaniel-brough
Copy link
Contributor

@nathaniel-brough nathaniel-brough commented Jan 13, 2023
edited
Loading

Describe the PR
Introduces a new function tu_memcpy_s, which is effectively a backport of memcpy_s. The change also refactors calls to memcpy over to the more secure tu_memcpy_s.

More specifically, this change adds some bounds checking to the destination buffer, to prevent buffer overflows.

What this PR cover's;

  • Non-trivial calls to memcpy from the device/common driver code

What this PR doesn't cover;

  • Trivial calls to memcpy
  • Calls to memcpy from tu_fifo
  • Calls to memcpy from the host driver code

@nathaniel-brough nathaniel-brough force-pushed the mem_s branch 7 times, most recently from 25ec4e3 to 326cca5 Compare January 13, 2023 22:39
@nathaniel-brough
fix: Replace device calls to memcpy with tu_memcpy_s
2e47210 
Introduces a new function tu_memcpy_s, which is effectively
a backport of memcpy_s. The change also refactors calls
to memcpy over to the more secure tu_memcpy_s.
@nathaniel-brough nathaniel-brough marked this pull request as ready for review January 13, 2023 23:27
hathach
hathach reviewed Feb 27, 2023
View reviewed changes
src/class/msc/msc_device.c
@@ -707,7 +707,7 @@ static int32_t proc_builtin_scsi(uint8_t lun, uint8_t const scsi_cmd[16], uint8_
read_capa10.block_size = tu_htonl(block_size);

resplen = sizeof(read_capa10);
memcpy(buffer, &read_capa10, (size_t) resplen);
TU_VERIFY(tu_memcpy_s(buffer, bufsize, &read_capa10, (size_t) resplen));
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing ==0 check

hathach
hathach approved these changes Feb 27, 2023
View reviewed changes
Copy link
Owner

@hathach hathach left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

superb !! Thank you very much for the PR and sorry again for the delay. memcpy_s is a great idea to prevent memory overflow, this function is new to me. I found an instance where ==0 is not checked, to prevent such as typo, I have change the code to 0==tu_memcpy_s(), this way it is easier to spot this type of issue.

Thank again for bringing this up.

@hathach hathach merged commit 65ac519 into hathach:master Feb 27, 2023
@nathaniel-brough
Copy link
Contributor Author

No worries 👍

@HiFiPhile
Copy link
Collaborator

For UAC class _audiod_fct[func_id].ctrl_buf_sz should be used instead of sizeof(_audiod_fct[func_id].ctrl_buf)

tinyusb/src/class/audio/audio_device.c

Line 2293 in 34798ff

TU_VERIFY(0 == tu_memcpy_s(_audiod_fct[func_id].ctrl_buf, sizeof(_audiod_fct[func_id].ctrl_buf), data, (size_t)len));

I'm in vacation anyone can make a PR ? @silvergasp @hathach
#1935

@elagil elagil mentioned this pull request Mar 5, 2023
Closed
1 task
@nathaniel-brough nathaniel-brough mentioned this pull request Mar 6, 2023
Merged
@nathaniel-brough
Copy link
Contributor Author

PR here #1937

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hathach hathach hathach approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nathaniel-brough @HiFiPhile @hathach