FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

USB Virtual Com Port buffer overflow

camille
Associate II

‎2012-01-09 01:09 AM

Posted on January 09, 2012 at 10:09

Hi everybody.

I've a remark to do about the ''USBD_GetString(uint8_t *desc, uint8_t *unicode, uint16_t *len)'' function defined in ''usbd_req.c''.

When it's called with the function ''USBD_GetString (USBD_PRODUCT_FS_STRING, USBD_StrDesc, length);'' in ''usbd_desc.c'',

the reserved size of ''USBD_StrDesc'' in memory is 50 : ''__ALIGN_BEGIN uint8_t USBD_StrDesc[USB_MAX_STR_DESC_SIZ] __ALIGN_END ;'' in ''usbd_req.c''

with following define in ''usbd_conf.h'' :  ''#define USB_MAX_STR_DESC_SIZ            50''

However the ''USBD_PRODUCT_FS_STRING'' is define in ''usbd_desc.c'' as ''#define USBD_PRODUCT_FS_STRING          ''STM32 Virtual ComPort in FS Mode'' '' so it's a string of 32 characters.

When USBD_GetString(...) is called it converts an ascii string to unicode string so doubles the size of the string and adds its length at the beginning. So for a string of 32 chars a size of 66 chars have to be reserved, that is 16 more than it is.

I don't know who alert about this little mistake but for me it has been a pain because it overflowed over data I used in my main application. So if it can help someone in the same case I post it.

Regards.

Robin.
0 Kudos
2 REPLIES 2
igal
Associate II

‎2013-07-28 03:35 AM

Posted on July 28, 2013 at 12:35

Thank you very much, it helps a lot

I use this driver for ages now and only today I found that overflow myself, it went under the radar till today

0 Kudos
alyoshin
Associate II

‎2017-02-19 10:01 PM

Posted on February 20, 2017 at 07:01

Date: Mon, 20 Feb 2017 08:52:56 +0300

Subject: [PATCH] Limit string length with USBD_MAX_STR_DESC_SIZ in

 USBD_GetString()

---

 Middlewares/ST/STM32_USB_Device_Library/Core/Src/usbd_ctlreq.c | 9 ++++++---

 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/Middlewares/ST/STM32_USB_Device_Library/Core/Src/usbd_ctlreq.c b/Middlewares/ST/STM32_USB_Device_Library/Core/Src/usbd_ctlreq.c

index 7701a6d..d355903 100644

--- a/Middlewares/ST/STM32_USB_Device_Library/Core/Src/usbd_ctlreq.c

+++ b/Middlewares/ST/STM32_USB_Device_Library/Core/Src/usbd_ctlreq.c

@@ -733,13 +733,16 @@ void USBD_GetString(uint8_t *desc, uint8_t *unicode, uint16_t *len)

 {

   uint8_t idx = 0;

    

-  if (desc != NULL)  

+  if (desc != NULL)

   {

-    *len =  USBD_GetLen(desc) * 2 + 2;     

+    *len = USBD_GetLen(desc) * 2 + 2;

+    if (*len > USBD_MAX_STR_DESC_SIZ)

+        *len = USBD_MAX_STR_DESC_SIZ;

+

     unicode[idx++] = *len;

     unicode[idx++] =  USB_DESC_TYPE_STRING;

      

-    while (*desc != '\0')  

+    while (*desc != '\0' && idx < *len - 1)

     {

       unicode[idx++] = *desc++;

       unicode[idx++] =  0x00;

--

2.1.4
0 Kudos
Top