UsbBus: Reject descriptor whose length is bad

Ruiyu Ni Mon, 15 Oct 2018 22:42:59 -0700

Today's implementation doesn't check whether the length of
descriptor is valid before using it.


The patch fixes this issue.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <[email protected]>
Cc: Star Zeng <[email protected]>
Cc: Jiewen Yao <[email protected]>
Reviewed-by: Star Zeng <[email protected]>
---
 MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c 
b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
index 70442c57da..9fc6422ab1 100644
--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
+++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
@@ -772,6 +772,13 @@ UsbGetOneConfig (
 
   DEBUG (( EFI_D_INFO, "UsbGetOneConfig: total length is %d\n", 
Desc.TotalLength));
 
+  //
+  // Reject if TotalLength even cannot cover itself.
+  //
+  if (Desc.TotalLength < OFFSET_OF (EFI_USB_CONFIG_DESCRIPTOR, TotalLength) + 
sizeof (Desc.TotalLength)) {
+    return NULL;
+  }
+
   Buf = AllocateZeroPool (Desc.TotalLength);
 
   if (Buf == NULL) {
-- 
2.16.1.windows.1

_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [PATCH v2 04/12] MdeModulePkg/UsbBus: Reject descriptor whose length is bad

Reply via email to