From 8136f90d07d475049e5eef6fbf3d12be2452a914 Mon Sep 17 00:00:00 2001
From: Benedek Kupper <kupper.benedek@gmail.com>
Date: Thu, 17 Jun 2021 23:58:14 +0200
Subject: [PATCH] DFU: fix buffer overflow possibility in dfu_download (#28)
 [3/3]

---
 Class/DFU/usbd_dfu.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/Class/DFU/usbd_dfu.c b/Class/DFU/usbd_dfu.c
index 09474af..516aae3 100644
--- a/Class/DFU/usbd_dfu.c
+++ b/Class/DFU/usbd_dfu.c
@@ -535,7 +535,11 @@ static USBD_ReturnType dfu_download(USBD_DFU_IfHandleType *itf)
     USBD_ReturnType retval = USBD_E_INVALID;
     USBD_HandleType *dev = itf->Base.Device;
 
-    if (dev->Setup.Length > 0)
+    if (dev->Setup.Length > dfu_desc.DFUFD.wTransferSize)
+    {
+        /* Oversized request, invalid */
+    }
+    else if (dev->Setup.Length > 0)
     {
         /* Check for download support */
         if ((DFU_APP(itf)->Erase != NULL) && (DFU_APP(itf)->Write != NULL))
@@ -549,10 +553,12 @@ static USBD_ReturnType dfu_download(USBD_DFU_IfHandleType *itf)
             }
 
             /* Checks for valid sequence and overall length */
-            if (   ( dev->Setup.Value == ((itf->BlockNum + 1) & 0xFFFF))
-                && (((uint32_t)itf->Address + dev->Setup.Length) <
-                    (DFU_APP(itf)->Firmware.Address + DFU_APP(itf)->Firmware.TotalSize)))
+            if ((dev->Setup.Value == ((itf->BlockNum + 1) & 0xFFFF)) &&
+#else
+            if (
 #endif /* (USBD_DFU_ST_EXTENSION == 0) */
+                (((uint32_t)itf->Address + dev->Setup.Length) <
+                (DFU_APP(itf)->Firmware.Address + DFU_APP(itf)->Firmware.TotalSize)))
             {
                 /* Update the global length and block number */
                 itf->BlockNum    = dev->Setup.Value;