diff --git a/examples/device/cdc_msc/src/msc_disk.c b/examples/device/cdc_msc/src/msc_disk.c index d2f8628f1..d325d77fa 100644 --- a/examples/device/cdc_msc/src/msc_disk.c +++ b/examples/device/cdc_msc/src/msc_disk.c @@ -190,7 +190,14 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff (void) lun; // out of ramdisk - if ( lba >= DISK_BLOCK_NUM ) return -1; + if ( lba >= DISK_BLOCK_NUM ) { + return -1; + } + + // Check for overflow of offset + bufsize + if ( offset + bufsize > DISK_BLOCK_SIZE ) { + return -1; + } uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize); diff --git a/examples/device/cdc_msc_freertos/src/msc_disk.c b/examples/device/cdc_msc_freertos/src/msc_disk.c index d2f8628f1..d325d77fa 100644 --- a/examples/device/cdc_msc_freertos/src/msc_disk.c +++ b/examples/device/cdc_msc_freertos/src/msc_disk.c @@ -190,7 +190,14 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff (void) lun; // out of ramdisk - if ( lba >= DISK_BLOCK_NUM ) return -1; + if ( lba >= DISK_BLOCK_NUM ) { + return -1; + } + + // Check for overflow of offset + bufsize + if ( offset + bufsize > DISK_BLOCK_SIZE ) { + return -1; + } uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize); diff --git a/src/class/net/ncm_device.c b/src/class/net/ncm_device.c index aac11a058..f9fda0698 100644 --- a/src/class/net/ncm_device.c +++ b/src/class/net/ncm_device.c @@ -857,7 +857,8 @@ bool netd_xfer_cb(uint8_t rhport, uint8_t ep_addr, xfer_result_t result, uint32_ // - if there is a free receive buffer, initiate reception if (!recv_validate_datagram(ncm_interface.recv_tinyusb_ntb, xferred_bytes)) { // verification failed: ignore NTB and return it to free - TU_LOG_DRV("(EE) VALIDATION FAILED. WHAT CAN WE DO IN THIS CASE?\n"); + TU_LOG_DRV("Invalid datatagram. Ignoring NTB\n"); + recv_put_ntb_into_free_list(ncm_interface.recv_tinyusb_ntb); } else { // packet ok -> put it into ready list recv_put_ntb_into_ready_list(ncm_interface.recv_tinyusb_ntb);