From d5f2c34eaa3e840b32817829031b95c6b7780314 Mon Sep 17 00:00:00 2001
From: szymonh <12231135+szymonh@users.noreply.github.com>
Date: Sun, 12 Sep 2021 20:09:58 +0200
Subject: [PATCH 1/2] Prevent buffer overflow in bth_device.c

---
 src/class/bth/bth_device.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/class/bth/bth_device.c b/src/class/bth/bth_device.c
index 1d27ae7c..09fab953 100755
--- a/src/class/bth/bth_device.c
+++ b/src/class/bth/bth_device.c
@@ -214,7 +214,7 @@ bool btd_control_xfer_cb(uint8_t rhport, uint8_t stage, tusb_control_request_t c
     }
     else return false;
 
-    return tud_control_xfer(rhport, request, &_btd_itf.hci_cmd, request->wLength);
+    return tud_control_xfer(rhport, request, &_btd_itf.hci_cmd, sizeof(_btd_itf.hci_cmd));
   }
   else if ( stage == CONTROL_STAGE_DATA )
   {

From 50e3c0054f8d26340863667a50aae5a798f6aefc Mon Sep 17 00:00:00 2001
From: szymonh <12231135+szymonh@users.noreply.github.com>
Date: Mon, 13 Sep 2021 10:23:03 +0200
Subject: [PATCH 2/2] Add size check to tud_bt_hci_cmd_cb call in bth_device.c

---
 src/class/bth/bth_device.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/class/bth/bth_device.c b/src/class/bth/bth_device.c
index 09fab953..b73f829c 100755
--- a/src/class/bth/bth_device.c
+++ b/src/class/bth/bth_device.c
@@ -221,7 +221,7 @@ bool btd_control_xfer_cb(uint8_t rhport, uint8_t stage, tusb_control_request_t c
     // Handle class request only
     TU_VERIFY(request->bmRequestType_bit.type == TUSB_REQ_TYPE_CLASS);
 
-    if (tud_bt_hci_cmd_cb) tud_bt_hci_cmd_cb(&_btd_itf.hci_cmd, request->wLength);
+    if (tud_bt_hci_cmd_cb) tud_bt_hci_cmd_cb(&_btd_itf.hci_cmd, tu_min16(request->wLength, sizeof(_btd_itf.hci_cmd)));
   }
 
   return true;