Merge pull request #413 from espressif/fix/CVE-UNTRUST-002

tore-espressif · web-flow · commit 86c3638ec540 · 2026-02-20T12:56:55.000+01:00
fix(host): Limit max endpoints in interface to 32
diff --git a/host/usb/include/usb/usb_helpers.h b/host/usb/include/usb/usb_helpers.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -79,7 +79,7 @@ int usb_parse_interface_number_of_alternate(const usb_config_desc_t *config_desc
  * @param[in] bInterfaceNumber Interface number
  * @param[in] bAlternateSetting Alternate setting number
  * @param[out] offset Byte offset of the interface descriptor relative to the start of the configuration descriptor. Can be NULL.
- * @return const usb_intf_desc_t* Pointer to interface descriptor, NULL if not found.
+ * @return const usb_intf_desc_t* Pointer to interface descriptor, NULL if not found or invalid (e.g., too many endpoints) descriptor
  */
 const usb_intf_desc_t *usb_parse_interface_descriptor(const usb_config_desc_t *config_desc, uint8_t bInterfaceNumber, uint8_t bAlternateSetting, int *offset);
 
diff --git a/host/usb/include/usb/usb_types_ch9.h b/host/usb/include/usb/usb_types_ch9.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -432,6 +432,11 @@ ESP_STATIC_ASSERT(sizeof(usb_iad_desc_t) == USB_IAD_DESC_SIZE, "Size of usb_iad_
  */
 #define USB_INTF_DESC_SIZE      9
 
+/**
+ * @brief Maximum number of endpoints in a USB interface descriptor
+ */
+#define USB_MAX_ENDPOINTS_PER_INTERFACE  32 // 16 IN and 16 OUT
+
 /**
  * @brief Structure representing a USB interface descriptor
  *
diff --git a/host/usb/src/usb_helpers.c b/host/usb/src/usb_helpers.c
@@ -107,8 +107,16 @@ const usb_intf_desc_t *usb_parse_interface_descriptor(const usb_config_desc_t *c
         // Get the next interface descriptor
         next_intf_desc = (const usb_intf_desc_t *)usb_parse_next_descriptor_of_type((const usb_standard_desc_t *)next_intf_desc, config_desc->wTotalLength, USB_B_DESCRIPTOR_TYPE_INTERFACE, &offset_temp);
     }
-    if (next_intf_desc != NULL && offset != NULL) {
-        *offset = offset_temp;
+
+    if (next_intf_desc != NULL) {
+        // In case offset was provided, set it
+        if (offset != NULL) {
+            *offset = offset_temp;
+        }
+        // Check if the interface descriptor has too many endpoints
+        if (next_intf_desc->bNumEndpoints > USB_MAX_ENDPOINTS_PER_INTERFACE) {
+            return NULL;    // Too many endpoints, invalid descriptor
+        }
     }
     return next_intf_desc;
 }
diff --git a/host/usb/test/host_test/usb_host_layer_test/main/usb_helpers_descriptor_parsing_test.cpp b/host/usb/test/host_test/usb_host_layer_test/main/usb_helpers_descriptor_parsing_test.cpp
@@ -477,3 +477,40 @@ TEST_CASE("USB descriptor parsing with bLength=0", "[helpers]")
         }
     }
 }
+
+TEST_CASE("USB descriptor parsing with interface that has too many endpoints", "[helpers]")
+{
+    // Minimal config descriptor containing an interface with bNumEndpoints > USB_MAX_ENDPOINTS_PER_INTERFACE (32)
+    static const uint8_t bad_config_desc_bytes[] = {
+        // Configuration Descriptor (9 bytes)
+        0x09,                       // bLength = 9
+        0x02,                       // bDescriptorType = Configuration
+        0x12, 0x00,                 // wTotalLength = 18
+        0x01,                       // bNumInterfaces = 1
+        0x01,                       // bConfigurationValue = 1
+        0x00,                       // iConfiguration = 0
+        0x80,                       // bmAttributes
+        0x32,                       // bMaxPower = 100mA
+        // Interface Descriptor (9 bytes) with bNumEndpoints = 33 (> 32)
+        0x09,                       // bLength = 9
+        0x04,                       // bDescriptorType = Interface
+        0x00,                       // bInterfaceNumber = 0
+        0x00,                       // bAlternateSetting = 0
+        0x21,                       // bNumEndpoints = 33  <-- exceeds USB_MAX_ENDPOINTS_PER_INTERFACE
+        0xFF, 0x00, 0x00, 0x00,     // bInterfaceClass, SubClass, Protocol, iInterface
+    };
+
+    const auto *config_desc = reinterpret_cast<const usb_config_desc_t *>(bad_config_desc_bytes);
+
+    GIVEN("A configuration descriptor with an interface declaring too many endpoints") {
+        int offset = 0;
+
+        WHEN("Parsing the interface descriptor by number and alternate setting") {
+            const auto *intf_desc = usb_parse_interface_descriptor(config_desc, 0, 0, &offset);
+
+            THEN("The parser returns NULL and rejects the invalid descriptor") {
+                REQUIRE(intf_desc == nullptr);
+            }
+        }
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -107,8 +107,16 @@ const usb_intf_desc_t usb_parse_interface_descriptor(const usb_config_desc_t c`
`107`	`107`	`// Get the next interface descriptor`
`108`	`108`	`next_intf_desc = (const usb_intf_desc_t )usb_parse_next_descriptor_of_type((const usb_standard_desc_t )next_intf_desc, config_desc->wTotalLength, USB_B_DESCRIPTOR_TYPE_INTERFACE, &offset_temp);`
`109`	`109`	`}`
`110`		`- if (next_intf_desc != NULL && offset != NULL) {`
`111`		`- *offset = offset_temp;`
	`110`	`+`
	`111`	`+ if (next_intf_desc != NULL) {`
	`112`	`+ // In case offset was provided, set it`
	`113`	`+ if (offset != NULL) {`
	`114`	`+ *offset = offset_temp;`
	`115`	`+ }`
	`116`	`+ // Check if the interface descriptor has too many endpoints`
	`117`	`+ if (next_intf_desc->bNumEndpoints > USB_MAX_ENDPOINTS_PER_INTERFACE) {`
	`118`	`+ return NULL; // Too many endpoints, invalid descriptor`
	`119`	`+ }`
`112`	`120`	`}`
`113`	`121`	`return next_intf_desc;`
`114`	`122`	`}`