USB: fix user buffer overwrite

lib/usb_cdcacm.c

@@ -395,10 +395,14 @@ static void usb_cdcacm_data_tx_cb(usbd_device *usbd_dev, uint8_t ep)
 		return;
 	}
 	if (!tx_lock) {
-		usb_tx_ongoing = true; // remember we started transmission	
+		usb_tx_ongoing = true; // remember we started transmission
 		uint16_t usb_length = (tx_used > USB_DATA_TRANSFER_SIZE ? USB_DATA_TRANSFER_SIZE : tx_used); // length of data to be transmitted (respect max packet size)
 		usb_length = (usb_length > (LENGTH(tx_buffer)-tx_i) ? LENGTH(tx_buffer)-tx_i : usb_length); // since here we use the source array not as ring buffer, only go up to the end
-		while (usb_length != usbd_ep_write_packet(usb_device, usb_cdcacm_data_endpoints[1].bEndpointAddress, (void*)(&tx_buffer[tx_i]), usb_length)); // ensure data is written into transmit buffer
+		uint8_t usb_data[USB_DATA_TRANSFER_SIZE]; // buffer to transmit data
+		for (uint16_t i=0; i<usb_length && i<USB_DATA_TRANSFER_SIZE; i++) { // copy data to be transferred so it can not be tempered with
+			usb_data[i] = tx_buffer[tx_i+i];
+		}
+		while (usb_length != usbd_ep_write_packet(usb_device, usb_cdcacm_data_endpoints[1].bEndpointAddress, (void*)(usb_data), usb_length)); // ensure data is written into transmit buffer
 		tx_i = (tx_i+usb_length)%LENGTH(tx_buffer); // update location on buffer
 		tx_used -= usb_length; // update used size
 	} else {