From d9e687d7e1ca75c16386ce50199aec6e1941bd6c Mon Sep 17 00:00:00 2001 From: akallabeth Date: Thu, 13 Oct 2022 09:00:48 +0200 Subject: [PATCH] Added missing length check in urb_control_transfer --- channels/urbdrc/client/data_transfer.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c index e531e34a4..e06af1801 100644 --- a/channels/urbdrc/client/data_transfer.c +++ b/channels/urbdrc/client/data_transfer.c @@ -686,7 +686,11 @@ static UINT urb_control_transfer(IUDEVICE* pdev, GENERIC_CHANNEL_CALLBACK* callb buffer = Stream_Pointer(out); if (transferDir == USBD_TRANSFER_DIRECTION_OUT) + { + if (!Stream_CheckAndLogRequiredLength(TAG, s, OutputBufferSize)) + return ERROR_INVALID_DATA; Stream_Copy(s, out, OutputBufferSize); + } /** process TS_URB_CONTROL_TRANSFER */ if (!pdev->control_transfer(pdev, RequestId, EndpointAddress, TransferFlags, bmRequestType,