MdeModulePkg/UsbBusPei: Reject descriptor whose length is bad

Today's implementation doesn't check whether the length of
descriptor is valid before using it.

The patch fixes this issue by syncing the similar fix to UsbBusDxe.
70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79
*MdeModulePkg/UsbBus: Reject descriptor whose length is bad

Additionally the patch also rejects the data when length is
larger than sizeof (PeiUsbDevice->ConfigurationData).

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>

1 files changed, 14 insertions, 0 deletions

diff --git a/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c b/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
index 86734f2f73..c31247abfe 100644
--- a/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
+++ b/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
@@ -817,6 +817,20 @@ PeiUsbGetAllConfiguration (
   ConfigDescLength  = ConfigDesc->TotalLength;

 

   //

+  // Reject if TotalLength even cannot cover itself.

+  //

+  if (ConfigDescLength < OFFSET_OF (EFI_USB_CONFIG_DESCRIPTOR, TotalLength) + sizeof (ConfigDesc->TotalLength)) {

+    return EFI_DEVICE_ERROR;

+  }

+

+  //

+  // Reject if TotalLength exceeds the PeiUsbDevice->ConfigurationData.

+  //

+  if (ConfigDescLength > sizeof (PeiUsbDevice->ConfigurationData)) {

+    return EFI_DEVICE_ERROR;

+  }

+

+  //

   // Then we get the total descriptors for this configuration

   //

   Status = PeiUsbGetDescriptor (