AVRISP-MKII Clone: Add length checks to SPI Multi and XPROG read/write commands.

diff --git a/LUFA/Drivers/USB/Class/Device/RNDISClassDevice.c b/LUFA/Drivers/USB/Class/Device/RNDISClassDevice.c
index bf5f696..cb96c5e 100644 (file)
--- a/LUFA/Drivers/USB/Class/Device/RNDISClassDevice.c
+++ b/LUFA/Drivers/USB/Class/Device/RNDISClassDevice.c
@@ -81,6 +81,9 @@ void RNDIS_Device_ProcessControlRequest(USB_ClassInfo_RNDIS_Device_t* const RNDI
                case RNDIS_REQ_SendEncapsulatedCommand:
                        if (USB_ControlRequest.bmRequestType == (REQDIR_HOSTTODEVICE | REQTYPE_CLASS | REQREC_INTERFACE))
                        {
+                               if (USB_ControlRequest.wLength >= sizeof(RNDISInterfaceInfo->Config.MessageBuffer))
+                                       break;
+
                                Endpoint_ClearSETUP();
                                Endpoint_Read_Control_Stream_LE(RNDISInterfaceInfo->Config.MessageBuffer, USB_ControlRequest.wLength);
                                Endpoint_ClearIN();

diff --git a/Projects/AVRISP-MKII/Lib/ISP/ISPProtocol.c b/Projects/AVRISP-MKII/Lib/ISP/ISPProtocol.c
index dda87a6..2e93139 100644 (file)
--- a/Projects/AVRISP-MKII/Lib/ISP/ISPProtocol.c
+++ b/Projects/AVRISP-MKII/Lib/ISP/ISPProtocol.c
@@ -536,6 +536,12 @@ void ISPProtocol_SPIMulti(void)
     Endpoint_Read_Stream_LE(&SPI_Multi_Params, (sizeof(SPI_Multi_Params) - sizeof(SPI_Multi_Params.TxData)), NULL);
     Endpoint_Read_Stream_LE(&SPI_Multi_Params.TxData, SPI_Multi_Params.TxBytes, NULL);
 
+    if (SPI_Multi_Params.TxBytes >= sizeof(SPI_Multi_Params.TxData))
+    {
+        Endpoint_StallTransaction();
+        return;
+    }
+
     Endpoint_ClearOUT();
     Endpoint_SelectEndpoint(AVRISP_DATA_IN_EPADDR);
     Endpoint_SetEndpointDirection(ENDPOINT_DIR_IN);

diff --git a/Projects/AVRISP-MKII/Lib/XPROG/XPROGProtocol.c b/Projects/AVRISP-MKII/Lib/XPROG/XPROGProtocol.c
index a39bda6..b8db41a 100644 (file)
--- a/Projects/AVRISP-MKII/Lib/XPROG/XPROGProtocol.c
+++ b/Projects/AVRISP-MKII/Lib/XPROG/XPROGProtocol.c
@@ -250,6 +250,12 @@ static void XPROGProtocol_WriteMemory(void)
        WriteMemory_XPROG_Params.Length  = SwapEndian_16(WriteMemory_XPROG_Params.Length);
        Endpoint_Read_Stream_LE(&WriteMemory_XPROG_Params.ProgData, WriteMemory_XPROG_Params.Length, NULL);
 
+       if (WriteMemory_XPROG_Params.Length >= sizeof(WriteMemory_XPROG_Params.ProgData))
+       {
+               Endpoint_StallTransaction();
+               return;
+       }
+
        // The driver will terminate transfers that are a round multiple of the endpoint bank in size with a ZLP, need
        // to catch this and discard it before continuing on with packet processing to prevent communication issues
        if (((sizeof(uint8_t) + sizeof(WriteMemory_XPROG_Params) - sizeof(WriteMemory_XPROG_Params.ProgData)) +
@@ -337,16 +343,22 @@ static void XPROGProtocol_ReadMemory(void)
                uint16_t Length;
        } ReadMemory_XPROG_Params;
 
+       uint8_t ReadBuffer[256];
+
        Endpoint_Read_Stream_LE(&ReadMemory_XPROG_Params, sizeof(ReadMemory_XPROG_Params), NULL);
        ReadMemory_XPROG_Params.Address = SwapEndian_32(ReadMemory_XPROG_Params.Address);
        ReadMemory_XPROG_Params.Length  = SwapEndian_16(ReadMemory_XPROG_Params.Length);
 
+       if (ReadMemory_XPROG_Params.Length >= sizeof(ReadBuffer))
+       {
+               Endpoint_StallTransaction();
+               return;
+       }
+
        Endpoint_ClearOUT();
        Endpoint_SelectEndpoint(AVRISP_DATA_IN_EPADDR);
        Endpoint_SetEndpointDirection(ENDPOINT_DIR_IN);
 
-       uint8_t ReadBuffer[256];
-
        if (XPROG_SelectedProtocol == XPROG_PROTOCOL_PDI)
        {
                /* Read the PDI target's memory, indicate timeout if occurred */