diff options
| author | Feng Tian <feng.tian@intel.com> | 2013-11-19 06:17:34 +0000 |
|---|---|---|
| committer | erictian <erictian@6f19259b-4bc3-4df7-8a09-765794883524> | 2013-11-19 06:17:34 +0000 |
| commit | 4de9d876477e4d93416a99a14bd730a1acdd0ae4 (patch) | |
| tree | 8f004deb4324140071349c1730a32f3f900ad879 /MdeModulePkg/Bus | |
| parent | 0b10bb6f4387fd0587329d43e768a90371d63491 (diff) | |
| download | edk2-platforms-4de9d876477e4d93416a99a14bd730a1acdd0ae4.tar.xz | |
MdeModulePkg/UsbBus: Stop parsing descriptor if some of descriptor fields are invalid.
Signed-off-by: Feng Tian <feng.tian@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14863 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'MdeModulePkg/Bus')
| -rw-r--r-- | MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c | 32 |
1 files changed, 20 insertions, 12 deletions
diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c index b2401ca40e..9687eb0bca 100644 --- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c +++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c @@ -142,15 +142,15 @@ UsbFreeDevDesc ( VOID *
UsbCreateDesc (
IN UINT8 *DescBuf,
- IN INTN Len,
+ IN UINTN Len,
IN UINT8 Type,
- OUT INTN *Consumed
+ OUT UINTN *Consumed
)
{
USB_DESC_HEAD *Head;
- INTN DescLen;
- INTN CtrlLen;
- INTN Offset;
+ UINTN DescLen;
+ UINTN CtrlLen;
+ UINTN Offset;
VOID *Desc;
DescLen = 0;
@@ -188,7 +188,15 @@ UsbCreateDesc ( while ((Offset < Len) && (Head->Type != Type)) {
Offset += Head->Len;
+ if (Len <= Offset) {
+ DEBUG (( EFI_D_ERROR, "UsbCreateDesc: met mal-format descriptor, Beyond boundary!\n"));
+ return NULL;
+ }
Head = (USB_DESC_HEAD*)(DescBuf + Offset);
+ if (Head->Len == 0) {
+ DEBUG (( EFI_D_ERROR, "UsbCreateDesc: met mal-format descriptor, Head->Len = 0!\n"));
+ return NULL;
+ }
}
if ((Len <= Offset) || (Len < Offset + DescLen) ||
@@ -223,16 +231,16 @@ UsbCreateDesc ( USB_INTERFACE_SETTING *
UsbParseInterfaceDesc (
IN UINT8 *DescBuf,
- IN INTN Len,
- OUT INTN *Consumed
+ IN UINTN Len,
+ OUT UINTN *Consumed
)
{
USB_INTERFACE_SETTING *Setting;
USB_ENDPOINT_DESC *Ep;
UINTN Index;
UINTN NumEp;
- INTN Used;
- INTN Offset;
+ UINTN Used;
+ UINTN Offset;
*Consumed = 0;
Setting = UsbCreateDesc (DescBuf, Len, USB_DESC_TYPE_INTERFACE, &Used);
@@ -265,7 +273,7 @@ UsbParseInterfaceDesc ( //
// Create the endpoints for this interface
//
- for (Index = 0; Index < NumEp; Index++) {
+ for (Index = 0; (Index < NumEp) && (Offset < Len); Index++) {
Ep = UsbCreateDesc (DescBuf + Offset, Len - Offset, USB_DESC_TYPE_ENDPOINT, &Used);
if (Ep == NULL) {
@@ -300,7 +308,7 @@ ON_ERROR: USB_CONFIG_DESC *
UsbParseConfigDesc (
IN UINT8 *DescBuf,
- IN INTN Len
+ IN UINTN Len
)
{
USB_CONFIG_DESC *Config;
@@ -308,7 +316,7 @@ UsbParseConfigDesc ( USB_INTERFACE_DESC *Interface;
UINTN Index;
UINTN NumIf;
- INTN Consumed;
+ UINTN Consumed;
ASSERT (DescBuf != NULL);
|