MdeModulePkg/UsbBus: Deny when the string descriptor length is odd

Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Star Zeng <star.zeng@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com>
author: Ruiyu Ni <ruiyu.ni@intel.com> 2018-09-17 16:05:26 +0800
committer: Ruiyu Ni <ruiyu.ni@intel.com> 2018-10-17 11:04:04 +0800
commit: b2252bab12deeb0f5981cf390dc6499d1689b4a2 (patch)
tree: 828dba20121195e9660a8f82dedb54386598abae /MdeModulePkg/Bus/Usb
parent: 6c46cbbd5e3e2db7f14c007482e062b90c73c70f (diff)
download: edk2-b2252bab12deeb0f5981cf390dc6499d1689b4a2.tar.gz
edk2-b2252bab12deeb0f5981cf390dc6499d1689b4a2.tar.bz2
edk2-b2252bab12deeb0f5981cf390dc6499d1689b4a2.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
index 9fc6422ab1..22b6a9d661 100644
--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
+++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
@@ -655,7 +655,13 @@ UsbGetOneString (
   //
   Status = UsbCtrlGetDesc (UsbDev, USB_DESC_TYPE_STRING, Index, LangId, &Desc, 2);
 
-  if (EFI_ERROR (Status)) {
+  //
+  // Reject if Length even cannot cover itself, or odd because Unicode string byte length should be even.
+  //
+  if (EFI_ERROR (Status) || 
+      (Desc.Length < OFFSET_OF (EFI_USB_STRING_DESCRIPTOR, Length) + sizeof (Desc.Length)) ||
+      (Desc.Length % 2 != 0)
+    ) {
     return NULL;
   }
author	Ruiyu Ni <ruiyu.ni@intel.com>	2018-09-17 16:05:26 +0800
committer	Ruiyu Ni <ruiyu.ni@intel.com>	2018-10-17 11:04:04 +0800
commit	b2252bab12deeb0f5981cf390dc6499d1689b4a2 (patch)
tree	828dba20121195e9660a8f82dedb54386598abae /MdeModulePkg/Bus/Usb
parent	6c46cbbd5e3e2db7f14c007482e062b90c73c70f (diff)
download	edk2-b2252bab12deeb0f5981cf390dc6499d1689b4a2.tar.gz edk2-b2252bab12deeb0f5981cf390dc6499d1689b4a2.tar.bz2 edk2-b2252bab12deeb0f5981cf390dc6499d1689b4a2.zip