On 2018/10/15 14:38, Ruiyu Ni wrote:
Today's implementation doesn't check whether the length of
descriptor is valid before using it.
The patch fixes this issue.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu...@intel.com>
Cc: Star Zeng <star.z...@intel.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Ray,
Thanks for the patch.
Reviewed-by: Star Zeng <star.z...@intel.com>
Star
---
MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
index a93060deea..d9bc1f9e28 100644
--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
+++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
@@ -767,6 +767,13 @@ UsbGetOneConfig (
DEBUG (( EFI_D_INFO, "UsbGetOneConfig: total length is %d\n", Desc.TotalLength));
+ //
+ // Reject if TotalLength even cannot cover itself.
+ //
+ if (Desc.TotalLength < OFFSET_OF (EFI_USB_CONFIG_DESCRIPTOR, TotalLength) +
sizeof (Desc.TotalLength)) {
+ return NULL;
+ }
+
Buf = AllocateZeroPool (Desc.TotalLength);
if (Buf == NULL) {
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel