USBX Host CDC ECM integer underflow with buffer overflow

Azure RTOS USBx is a USB host, device, and on-the-go (OTG) embedded stack, fully integrated with Azure RTOS ThreadX and available for all Azure RTOS ThreadX–supported processors. Azure RTOS USBX implementation of host support for USB CDC ECM includes an integer underflow and a buffer overflow in the `_ux_host_class_cdc_ecm_mac_address_get` function which may be potentially exploited to achieve remote code execution or denial of service. Setting mac address string descriptor length to a `0` or `1` allows an attacker to introduce an integer underflow followed (string_length) by a buffer overflow of the `cdc_ecm -> ux_host_class_cdc_ecm_node_id` array. This may allow one to redirect the code execution flow or introduce a denial of service. The fix has been included in USBX release [6.1.12](https://github.com/azure-rtos/usbx/releases/tag/v6.1.12_rel). Improved mac address string descriptor length validation to check for unexpectedly small values may be used as a workaround.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

栈缓冲区溢出

Azure RTOS USBX 安全漏洞

Azure RTOS USBX是Azure RTOS开源的一个 USB 主机、设备和移动 (OTG) 嵌入式堆栈。与 Azure RTOS ThreadX 完全集成，可用于所有支持 Azure RTOS ThreadX 的处理器。 Azure RTOS USBX 6.1.12之前版本存在安全漏洞，该漏洞源于在_ux_host_class_cdc_ecm_mac_address_get函数中存在整数下溢和缓冲区溢出，可能被利用来实现远程代码执行或拒绝服务。

N/A

N/A