From: Dean Camera <dean@fourwalledcubicle.com>
Date: Sat, 19 Jun 2021 05:01:52 +0000 (+1000)
Subject: AVRISP-MKII Clone: Add length checks to SPI Multi and XPROG read/write commands.
X-Git-Url: http://git.linex4red.de/pub/lufa.git/commitdiff_plain/1eb64e62d51f22903ce3e54b23f885d6957fe649

AVRISP-MKII Clone: Add length checks to SPI Multi and XPROG read/write commands.
---

diff --git a/LUFA/Drivers/USB/Class/Device/RNDISClassDevice.c b/LUFA/Drivers/USB/Class/Device/RNDISClassDevice.c
index bf5f69601..cb96c5e6e 100644
--- a/LUFA/Drivers/USB/Class/Device/RNDISClassDevice.c
+++ b/LUFA/Drivers/USB/Class/Device/RNDISClassDevice.c
@@ -81,6 +81,9 @@ void RNDIS_Device_ProcessControlRequest(USB_ClassInfo_RNDIS_Device_t* const RNDI
 		case RNDIS_REQ_SendEncapsulatedCommand:
 			if (USB_ControlRequest.bmRequestType == (REQDIR_HOSTTODEVICE | REQTYPE_CLASS | REQREC_INTERFACE))
 			{
+				if (USB_ControlRequest.wLength >= sizeof(RNDISInterfaceInfo->Config.MessageBuffer))
+					break;
+
 				Endpoint_ClearSETUP();
 				Endpoint_Read_Control_Stream_LE(RNDISInterfaceInfo->Config.MessageBuffer, USB_ControlRequest.wLength);
 				Endpoint_ClearIN();
diff --git a/Projects/AVRISP-MKII/Lib/ISP/ISPProtocol.c b/Projects/AVRISP-MKII/Lib/ISP/ISPProtocol.c
index dda87a6f5..2e93139fb 100644
--- a/Projects/AVRISP-MKII/Lib/ISP/ISPProtocol.c
+++ b/Projects/AVRISP-MKII/Lib/ISP/ISPProtocol.c
@@ -536,6 +536,12 @@ void ISPProtocol_SPIMulti(void)
     Endpoint_Read_Stream_LE(&SPI_Multi_Params, (sizeof(SPI_Multi_Params) - sizeof(SPI_Multi_Params.TxData)), NULL);
     Endpoint_Read_Stream_LE(&SPI_Multi_Params.TxData, SPI_Multi_Params.TxBytes, NULL);
 
+    if (SPI_Multi_Params.TxBytes >= sizeof(SPI_Multi_Params.TxData))
+    {
+        Endpoint_StallTransaction();
+        return;
+    }
+
     Endpoint_ClearOUT();
     Endpoint_SelectEndpoint(AVRISP_DATA_IN_EPADDR);
     Endpoint_SetEndpointDirection(ENDPOINT_DIR_IN);
diff --git a/Projects/AVRISP-MKII/Lib/XPROG/XPROGProtocol.c b/Projects/AVRISP-MKII/Lib/XPROG/XPROGProtocol.c
index a39bda6cb..b8db41ac9 100644
--- a/Projects/AVRISP-MKII/Lib/XPROG/XPROGProtocol.c
+++ b/Projects/AVRISP-MKII/Lib/XPROG/XPROGProtocol.c
@@ -250,6 +250,12 @@ static void XPROGProtocol_WriteMemory(void)
 	WriteMemory_XPROG_Params.Length  = SwapEndian_16(WriteMemory_XPROG_Params.Length);
 	Endpoint_Read_Stream_LE(&WriteMemory_XPROG_Params.ProgData, WriteMemory_XPROG_Params.Length, NULL);
 
+	if (WriteMemory_XPROG_Params.Length >= sizeof(WriteMemory_XPROG_Params.ProgData))
+	{
+		Endpoint_StallTransaction();
+		return;
+	}
+
 	// The driver will terminate transfers that are a round multiple of the endpoint bank in size with a ZLP, need
 	// to catch this and discard it before continuing on with packet processing to prevent communication issues
 	if (((sizeof(uint8_t) + sizeof(WriteMemory_XPROG_Params) - sizeof(WriteMemory_XPROG_Params.ProgData)) +
@@ -337,16 +343,22 @@ static void XPROGProtocol_ReadMemory(void)
 		uint16_t Length;
 	} ReadMemory_XPROG_Params;
 
+	uint8_t ReadBuffer[256];
+
 	Endpoint_Read_Stream_LE(&ReadMemory_XPROG_Params, sizeof(ReadMemory_XPROG_Params), NULL);
 	ReadMemory_XPROG_Params.Address = SwapEndian_32(ReadMemory_XPROG_Params.Address);
 	ReadMemory_XPROG_Params.Length  = SwapEndian_16(ReadMemory_XPROG_Params.Length);
 
+	if (ReadMemory_XPROG_Params.Length >= sizeof(ReadBuffer))
+	{
+		Endpoint_StallTransaction();
+		return;
+	}
+
 	Endpoint_ClearOUT();
 	Endpoint_SelectEndpoint(AVRISP_DATA_IN_EPADDR);
 	Endpoint_SetEndpointDirection(ENDPOINT_DIR_IN);
 
-	uint8_t ReadBuffer[256];
-
 	if (XPROG_SelectedProtocol == XPROG_PROTOCOL_PDI)
 	{
 		/* Read the PDI target's memory, indicate timeout if occurred */