Azure RTOS USBX is a high-performance USB host, device, and on-the-go (OTG) embedded stack, that is fully integrated with Azure RTOS ThreadX. The case is, in [_ux_host_class_pima_read](, there is data length from device response, returned in the very first packet, and read by [L165 code](, as header_length. Then in [L178 code](, there is a “ifâ€� branch, which check the expression of “(header_length – UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE) > data_lengthâ€� where if header_length is smaller than UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE, calculation could overflow and then [L182 code]( the calculation of data_length is also overflow, this way the later [while loop start from L192]( can move data_pointer to unexpected address and cause write buffer overflow. The fix has been included in USBX release [6.1.12]( The following can be used as a workaround: Add check of `header_length`: 1. It must be greater than `UX_HOST_CLASS_PIMA_DATA_HEADER_SIZE`. 1. It should be greater or equal to the current returned data length (`transfer_request -> ux_transfer_request_actual_length`).

Source: CVE-2022-39293

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 항목은 *(으)로 표시합니다

Time limit is exhausted. Please reload the CAPTCHA.