From ae5a9d1e5734ffdf2d5d15353bf51b4429de0d0f Mon Sep 17 00:00:00 2001
From: sakumisu <1203593632@qq.com>
Date: Fri, 3 May 2024 19:19:17 +0800
Subject: [PATCH] check if eth rx packet is overflow

---
 class/cdc/usbh_cdc_ecm.c        |  4 ++++
 class/cdc/usbh_cdc_ncm.c        | 20 ++++++++++++--------
 class/vendor/net/usbh_asix.c    |  4 ++++
 class/vendor/net/usbh_rtl8152.c |  4 ++++
 class/wireless/usbh_rndis.c     |  6 +++++-
 5 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/class/cdc/usbh_cdc_ecm.c b/class/cdc/usbh_cdc_ecm.c
index 73ef45f3..a68fe2e5 100644
--- a/class/cdc/usbh_cdc_ecm.c
+++ b/class/cdc/usbh_cdc_ecm.c
@@ -279,6 +279,10 @@ find_class:
             }
         } else {
             /* read continue util read short packet */
+            if (g_cdc_ecm_rx_length > CONFIG_USBHOST_CDC_ECM_ETH_MAX_SEGSZE) {
+                USB_LOG_ERR("Rx packet is overflow\r\n");
+                g_cdc_ecm_rx_length = 0;
+            }
         }
     }
     // clang-format off
diff --git a/class/cdc/usbh_cdc_ncm.c b/class/cdc/usbh_cdc_ncm.c
index 5970f8c8..8fc4be1a 100644
--- a/class/cdc/usbh_cdc_ncm.c
+++ b/class/cdc/usbh_cdc_ncm.c
@@ -10,16 +10,16 @@
 #define USB_DBG_TAG "usbh_cdc_ncm"
 #include "usb_log.h"
 
-#define DEV_FORMAT                            "/dev/cdc_ncm"
+#define DEV_FORMAT "/dev/cdc_ncm"
 
 /* general descriptor field offsets */
-#define DESC_bLength                          0 /** Length offset */
-#define DESC_bDescriptorType                  1 /** Descriptor type offset */
-#define DESC_bDescriptorSubType               2 /** Descriptor subtype offset */
+#define DESC_bLength            0 /** Length offset */
+#define DESC_bDescriptorType    1 /** Descriptor type offset */
+#define DESC_bDescriptorSubType 2 /** Descriptor subtype offset */
 
 /* interface descriptor field offsets */
-#define INTF_DESC_bInterfaceNumber            2 /** Interface number offset */
-#define INTF_DESC_bAlternateSetting           3 /** Alternate setting offset */
+#define INTF_DESC_bInterfaceNumber  2 /** Interface number offset */
+#define INTF_DESC_bAlternateSetting 3 /** Alternate setting offset */
 
 #define CONFIG_USBHOST_CDC_NCM_ETH_MAX_SEGSZE 1514U
 
@@ -279,7 +279,7 @@ find_class:
 
     g_cdc_ncm_rx_length = 0;
     while (1) {
-        usbh_bulk_urb_fill(&g_cdc_ncm_class.bulkin_urb, g_cdc_ncm_class.hport, g_cdc_ncm_class.bulkin, &g_cdc_ncm_rx_buffer[g_cdc_ncm_rx_length], USB_GET_MAXPACKETSIZE(g_cdc_ncm_class.bulkin->wMaxPacketSize), USB_OSAL_WAITING_FOREVER, NULL, NULL);
+        usbh_bulk_urb_fill(&g_cdc_ncm_class.bulkin_urb, g_cdc_ncm_class.hport, g_cdc_ncm_class.bulkin, &g_cdc_ncm_rx_buffer[g_cdc_ncm_rx_length], CONFIG_USBHOST_CDC_NCM_ETH_MAX_RX_SIZE, USB_OSAL_WAITING_FOREVER, NULL, NULL);
         ret = usbh_submit_urb(&g_cdc_ncm_class.bulkin_urb);
         if (ret < 0) {
             goto find_class;
@@ -287,7 +287,7 @@ find_class:
 
         g_cdc_ncm_rx_length += g_cdc_ncm_class.bulkin_urb.actual_length;
 
-        if (g_cdc_ncm_class.bulkin_urb.actual_length != USB_GET_MAXPACKETSIZE(g_cdc_ncm_class.bulkin->wMaxPacketSize)) {
+        if (g_cdc_ncm_rx_length % USB_GET_MAXPACKETSIZE(g_cdc_ncm_class.bulkin->wMaxPacketSize)) {
             USB_LOG_DBG("rxlen:%d\r\n", g_cdc_ncm_rx_length);
 
             struct cdc_ncm_nth16 *nth16 = (struct cdc_ncm_nth16 *)&g_cdc_ncm_rx_buffer[0];
@@ -331,6 +331,10 @@ find_class:
             g_cdc_ncm_rx_length = 0;
 
         } else {
+            if (g_cdc_ncm_rx_length > CONFIG_USBHOST_CDC_NCM_ETH_MAX_RX_SIZE) {
+                USB_LOG_ERR("Rx packet is overflow\r\n");
+                g_cdc_ncm_rx_length = 0;
+            }
         }
     }
     // clang-format off
diff --git a/class/vendor/net/usbh_asix.c b/class/vendor/net/usbh_asix.c
index 3d5ce355..a3be3c7c 100644
--- a/class/vendor/net/usbh_asix.c
+++ b/class/vendor/net/usbh_asix.c
@@ -711,6 +711,10 @@ find_class:
                 USB_LOG_ERR("No memory to alloc pbuf for asix rx\r\n");
             }
         } else {
+            if (g_asix_rx_length > CONFIG_USBHOST_ASIX_ETH_MAX_SEGSZE) {
+                USB_LOG_ERR("Rx packet is overflow\r\n");
+                g_asix_rx_length = 0;
+            }
         }
     }
     // clang-format off
diff --git a/class/vendor/net/usbh_rtl8152.c b/class/vendor/net/usbh_rtl8152.c
index 1bad4378..7d68a91f 100644
--- a/class/vendor/net/usbh_rtl8152.c
+++ b/class/vendor/net/usbh_rtl8152.c
@@ -2199,6 +2199,10 @@ find_class:
                 }
             }
         } else {
+            if (g_rtl8152_rx_length > CONFIG_USBHOST_RTL8152_ETH_MAX_RX_SEGSZE) {
+                USB_LOG_ERR("Rx packet is overflow\r\n");
+                g_rtl8152_rx_length = 0;
+            }
         }
     }
     // clang-format off
diff --git a/class/wireless/usbh_rndis.c b/class/wireless/usbh_rndis.c
index f4d2577d..bac0e03c 100644
--- a/class/wireless/usbh_rndis.c
+++ b/class/wireless/usbh_rndis.c
@@ -459,8 +459,8 @@ find_class:
         }
     }
 
+    g_rndis_rx_length = 0;
     while (1) {
-        g_rndis_rx_length = 0;
         usbh_bulk_urb_fill(&g_rndis_class.bulkin_urb, g_rndis_class.hport, g_rndis_class.bulkin, g_rndis_rx_buffer, CONFIG_USBHOST_RNDIS_ETH_MAX_RX_SIZE, USB_OSAL_WAITING_FOREVER, NULL, NULL);
         ret = usbh_submit_urb(&g_rndis_class.bulkin_urb);
         if (ret < 0) {
@@ -507,6 +507,10 @@ find_class:
                 }
             }
         } else {
+            if (g_rndis_rx_length > CONFIG_USBHOST_RNDIS_ETH_MAX_RX_SIZE) {
+                USB_LOG_ERR("Rx packet is overflow\r\n");
+                g_rndis_rx_length = 0;
+            }
         }
     }