diff options
author | Ruiyu Ni <ruiyu.ni@intel.com> | 2018-09-27 16:36:05 +0800 |
---|---|---|
committer | Ruiyu Ni <ruiyu.ni@intel.com> | 2018-10-17 11:03:57 +0800 |
commit | 70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79 (patch) | |
tree | d004f2904f04bcc23b70487aab9f505343baa7b1 | |
parent | 4c034bf62cbc1f3c5f4b5df25de97f0f528132b2 (diff) | |
download | edk2-70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79.tar.gz edk2-70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79.tar.bz2 edk2-70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79.zip |
MdeModulePkg/UsbBus: Reject descriptor whose length is bad
Today's implementation doesn't check whether the length of
descriptor is valid before using it.
The patch fixes this issue.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
-rw-r--r-- | MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c index 70442c57da..9fc6422ab1 100644 --- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c +++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c @@ -772,6 +772,13 @@ UsbGetOneConfig ( DEBUG (( EFI_D_INFO, "UsbGetOneConfig: total length is %d\n", Desc.TotalLength));
+ //
+ // Reject if TotalLength even cannot cover itself.
+ //
+ if (Desc.TotalLength < OFFSET_OF (EFI_USB_CONFIG_DESCRIPTOR, TotalLength) + sizeof (Desc.TotalLength)) {
+ return NULL;
+ }
+
Buf = AllocateZeroPool (Desc.TotalLength);
if (Buf == NULL) {
|