From f89f1dbe5205f7bb7878a9e8b9149d3a6a894104 Mon Sep 17 00:00:00 2001
From: Evgeny Yakovlev <insoreiges@gmail.com>
Date: Sun, 5 Jun 2016 22:28:31 +0800
Subject: MdeModulePkg/UsbBusDxe: Fixed USB descriptor length check

According to spec if the length of a descriptor is smaller than
what the specification defines, then the host shall ignore it.
However if the size is greater than expected the host will ignore
the extra bytes and start looking for the next descriptor
at the end of actual length returned. Original check did not
handle the latter case correctly and only allowed descriptors
with lengths exactly as defined in specification.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Evgeny Yakovlev <insoreiges@gmail.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
---
 MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'MdeModulePkg')

diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
index 5b8b1aaeae..fba60dae16 100644
--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
+++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
@@ -199,8 +199,8 @@ UsbCreateDesc (
     }
   }
 
-  if ((Len <= Offset)      || (Len < Offset + DescLen) ||
-      (Head->Type != Type) || (Head->Len != DescLen)) {
+  if ((Len <= Offset)      || (Len < Offset + Head->Len) ||
+      (Head->Type != Type) || (Head->Len < DescLen)) {
     DEBUG (( EFI_D_ERROR, "UsbCreateDesc: met mal-format descriptor\n"));
     return NULL;
   }
-- 
cgit v1.2.3