According to spec if the length of a descriptor is smaller than what the specification defines, then the host shall ignore it. However if the size is greater than expected the host will ignore the extra bytes and start looking for the next descriptor at the end of actual length returned. Original check did not handle the latter case correctly and only allowed descriptors with lengths exactly as defined in specification.
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Evgeny Yakovlev <[email protected]> --- MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c index 5b8b1aa..fba60da 100644 --- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c +++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c @@ -199,8 +199,8 @@ UsbCreateDesc ( } } - if ((Len <= Offset) || (Len < Offset + DescLen) || - (Head->Type != Type) || (Head->Len != DescLen)) { + if ((Len <= Offset) || (Len < Offset + Head->Len) || + (Head->Type != Type) || (Head->Len < DescLen)) { DEBUG (( EFI_D_ERROR, "UsbCreateDesc: met mal-format descriptor\n")); return NULL; } -- 2.7.4 (Apple Git-66) _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
