MdeModulePkg/UsbBus: Reject descriptor whose length is bad

Today's implementation doesn't check whether the length of descriptor is valid before using it. The patch fixes this issue. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Star Zeng <star.zeng@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com>
author: Ruiyu Ni <ruiyu.ni@intel.com> 2018-09-27 16:36:05 +0800
committer: Ruiyu Ni <ruiyu.ni@intel.com> 2018-10-17 11:03:57 +0800
commit: 70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79 (patch)
tree: d004f2904f04bcc23b70487aab9f505343baa7b1
parent: 4c034bf62cbc1f3c5f4b5df25de97f0f528132b2 (diff)
download: edk2-70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79.tar.gz
edk2-70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79.tar.bz2
edk2-70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
index 70442c57da..9fc6422ab1 100644
--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
+++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
@@ -772,6 +772,13 @@ UsbGetOneConfig (
 
   DEBUG (( EFI_D_INFO, "UsbGetOneConfig: total length is %d\n", Desc.TotalLength));
 
+  //
+  // Reject if TotalLength even cannot cover itself.
+  //
+  if (Desc.TotalLength < OFFSET_OF (EFI_USB_CONFIG_DESCRIPTOR, TotalLength) + sizeof (Desc.TotalLength)) {
+    return NULL;
+  }
+
   Buf = AllocateZeroPool (Desc.TotalLength);
 
   if (Buf == NULL) {
author	Ruiyu Ni <ruiyu.ni@intel.com>	2018-09-27 16:36:05 +0800
committer	Ruiyu Ni <ruiyu.ni@intel.com>	2018-10-17 11:03:57 +0800
commit	70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79 (patch)
tree	d004f2904f04bcc23b70487aab9f505343baa7b1
parent	4c034bf62cbc1f3c5f4b5df25de97f0f528132b2 (diff)
download	edk2-70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79.tar.gz edk2-70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79.tar.bz2 edk2-70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79.zip