MdeModulePkg/UsbBusPei: Reject descriptor whose length is bad

Today's implementation doesn't check whether the length of descriptor is valid before using it. The patch fixes this issue by syncing the similar fix to UsbBusDxe. 70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79 *MdeModulePkg/UsbBus: Reject descriptor whose length is bad Additionally the patch also rejects the data when length is larger than sizeof (PeiUsbDevice->ConfigurationData). Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com>
2025-04-08 17:05:09 +02:00 · 2018-10-25 18:09:46 +08:00 · 2018-10-25 18:09:46 +08:00 · 70425456da
commit 70425456da
parent c96de1dbae
1 changed files with 14 additions and 0 deletions
--- a/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
+++ b/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
@ -816,6 +816,20 @@ PeiUsbGetAllConfiguration (
  ConfigDesc        = (EFI_USB_CONFIG_DESCRIPTOR *) PeiUsbDevice->ConfigurationData;
  ConfigDescLength  = ConfigDesc->TotalLength;

+  //
+  // Reject if TotalLength even cannot cover itself.
+  //
+  if (ConfigDescLength < OFFSET_OF (EFI_USB_CONFIG_DESCRIPTOR, TotalLength) + sizeof (ConfigDesc->TotalLength)) {
+    return EFI_DEVICE_ERROR;
+  }
+
+  //
+  // Reject if TotalLength exceeds the PeiUsbDevice->ConfigurationData.
+  //
+  if (ConfigDescLength > sizeof (PeiUsbDevice->ConfigurationData)) {
+    return EFI_DEVICE_ERROR;
+  }
+
  //
  // Then we get the total descriptors for this configuration
  //