Possible buffer overflow

[adob]

_ux_device_stack_initialize allocates 256 bytes for ux_slave_transfer_request_data_pointer but up to 512 bytes may be written there since wMaxPacketSize is 512 in USB High-Speed mode.

Size check here:

usbx/common/core/src/ux_device_stack_initialize.c

Lines 186 to 187 in cfdd55c

	transfer_request -> ux_slave_transfer_request_data_pointer =
	_ux_utility_memory_allocate(UX_NO_ALIGN, UX_CACHE_SAFE_MEMORY, UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH);

Buffer allocated here:

usbx/common/usbx_device_classes/src/ux_device_class_cdc_acm_read.c

Lines 190 to 194 in cfdd55c

	/* Check if we have enough in the local buffer. */
	if (requested_length > endpoint -> ux_slave_endpoint_descriptor.wMaxPacketSize)
	/* We have too much to transfer. */
	local_requested_length = endpoint -> ux_slave_endpoint_descriptor.wMaxPacketSize;

Buffer written here:

 HAL_PCD_EP_Receive(dcd_stm32 -> pcd_handle,
                            endpoint->ux_slave_endpoint_descriptor.bEndpointAddress,
                            transfer_request->ux_slave_transfer_request_data_pointer,
                            transfer_request->ux_slave_transfer_request_requested_length);

[fdesbiens]

Thank you for raising this issue @adob. I will ask a member of the team to take a look.