UsbBus: Reject descriptor whose length is bad

Zeng, Star Mon, 15 Oct 2018 20:44:05 -0700

On 2018/10/15 14:38, Ruiyu Ni wrote:

Today's implementation doesn't check whether the length of
descriptor is valid before using it.


The patch fixes this issue.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu...@intel.com>
Cc: Star Zeng <star.z...@intel.com>
Cc: Jiewen Yao <jiewen....@intel.com>


Ray,

Thanks for the patch.
Reviewed-by: Star Zeng <star.z...@intel.com>

Star

---
  MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c | 7 +++++++
  1 file changed, 7 insertions(+)

diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c 
b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
index a93060deea..d9bc1f9e28 100644
--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
+++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
@@ -767,6 +767,13 @@ UsbGetOneConfig (

DEBUG (( EFI_D_INFO, "UsbGetOneConfig: total length is %d\n", Desc.TotalLength));+ //

+  // Reject if TotalLength even cannot cover itself.
+  //
+  if (Desc.TotalLength < OFFSET_OF (EFI_USB_CONFIG_DESCRIPTOR, TotalLength) + 
sizeof (Desc.TotalLength)) {
+    return NULL;
+  }
+
    Buf = AllocateZeroPool (Desc.TotalLength);

if (Buf == NULL) {


_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH 04/11] MdeModulePkg/UsbBus: Reject descriptor whose length is bad

Reply via email to