tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MdeModulePkg/UsbBusPei: Reject descriptor whose length is bad 

Today's implementation doesn't check whether the length of
descriptor is valid before using it.

The patch fixes this issue by syncing the similar fix to UsbBusDxe.
70c3c2370a
*MdeModulePkg/UsbBus: Reject descriptor whose length is bad

Additionally the patch also rejects the data when length is
larger than sizeof (PeiUsbDevice->ConfigurationData).

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
This commit is contained in:
Ruiyu Ni 2018-10-25 18:09:46 +08:00
parent c96de1dbae
commit 70425456da
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
View File

@ -816,6 +816,20 @@ PeiUsbGetAllConfiguration (
ConfigDesc = (EFI_USB_CONFIG_DESCRIPTOR *) PeiUsbDevice->ConfigurationData;
ConfigDescLength = ConfigDesc->TotalLength;
//
// Reject if TotalLength even cannot cover itself.
//
if (ConfigDescLength < OFFSET_OF (EFI_USB_CONFIG_DESCRIPTOR, TotalLength) + sizeof (ConfigDesc->TotalLength)) {
return EFI_DEVICE_ERROR;
}
//
// Reject if TotalLength exceeds the PeiUsbDevice->ConfigurationData.
//
if (ConfigDescLength > sizeof (PeiUsbDevice->ConfigurationData)) {
return EFI_DEVICE_ERROR;
}
//
// Then we get the total descriptors for this configuration
//