tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MdeModulePkg/UsbBus: Reject descriptor whose length is bad 

Today's implementation doesn't check whether the length of
descriptor is valid before using it.

The patch fixes this issue.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
This commit is contained in:
Ruiyu Ni 2018-09-27 16:36:05 +08:00
parent 4c034bf62c
commit 70c3c2370a
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
View File

@ -772,6 +772,13 @@ UsbGetOneConfig (
DEBUG (( EFI_D_INFO, "UsbGetOneConfig: total length is %d\n", Desc.TotalLength));
//
// Reject if TotalLength even cannot cover itself.
//
if (Desc.TotalLength < OFFSET_OF (EFI_USB_CONFIG_DESCRIPTOR, TotalLength) + sizeof (Desc.TotalLength)) {
return NULL;
}
Buf = AllocateZeroPool (Desc.TotalLength);
if (Buf == NULL) {