MdeModulePkg/XhciDxe:Fix usb desc length check logic

Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Feng Tian <feng.tian@intel.com> Reviewed-by: Evgeny Yakovlev <insoreiges@gmail.com>
author: Feng Tian <feng.tian@intel.com> 2016-06-15 10:29:45 +0800
committer: Feng Tian <feng.tian@intel.com> 2016-06-29 10:37:22 +0800
commit: fd5d2dd2f55eedb3cf6001cc00587020c90411f5 (patch)
tree: 1decdd11b7f304c141fa0844ecf7974e17ef5f7d /MdeModulePkg
parent: f89f1dbe5205f7bb7878a9e8b9149d3a6a894104 (diff)
download: edk2-platforms-fd5d2dd2f55eedb3cf6001cc00587020c90411f5.tar.xz
1 files changed, 32 insertions, 2 deletions
diff --git a/MdeModulePkg/Bus/Pci/XhciDxe/XhciSched.c b/MdeModulePkg/Bus/Pci/XhciDxe/XhciSched.c
index c25342dc1f..1130b6aac1 100644
--- a/MdeModulePkg/Bus/Pci/XhciDxe/XhciSched.c
+++ b/MdeModulePkg/Bus/Pci/XhciDxe/XhciSched.c
@@ -2596,6 +2596,11 @@ XhcInitializeEndpointContext (
       EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length);
     }
 
+    if (EpDesc->Length < sizeof (USB_ENDPOINT_DESCRIPTOR)) {
+      EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length);
+      continue;
+    }
+
     EpAddr    = (UINT8)(EpDesc->EndpointAddress & 0x0F);
     Direction = (UINT8)((EpDesc->EndpointAddress & 0x80) ? EfiUsbDataIn : EfiUsbDataOut);
 
@@ -2759,6 +2764,11 @@ XhcInitializeEndpointContext64 (
       EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length);
     }
 
+    if (EpDesc->Length < sizeof (USB_ENDPOINT_DESCRIPTOR)) {
+      EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length);
+      continue;
+    }
+
     EpAddr    = (UINT8)(EpDesc->EndpointAddress & 0x0F);
     Direction = (UINT8)((EpDesc->EndpointAddress & 0x80) ? EfiUsbDataIn : EfiUsbDataOut);
 
@@ -2928,6 +2938,11 @@ XhcSetConfigCmd (
       IfDesc = (USB_INTERFACE_DESCRIPTOR *)((UINTN)IfDesc + IfDesc->Length);
     }
 
+    if (IfDesc->Length < sizeof (USB_INTERFACE_DESCRIPTOR)) {
+      IfDesc = (USB_INTERFACE_DESCRIPTOR *)((UINTN)IfDesc + IfDesc->Length);
+      continue;
+    }
+
     Dci = XhcInitializeEndpointContext (Xhc, SlotId, DeviceSpeed, InputContext, IfDesc);
     if (Dci > MaxDci) {
       MaxDci = Dci;
@@ -3013,6 +3028,11 @@ XhcSetConfigCmd64 (
       IfDesc = (USB_INTERFACE_DESCRIPTOR *)((UINTN)IfDesc + IfDesc->Length);
     }
 
+    if (IfDesc->Length < sizeof (USB_INTERFACE_DESCRIPTOR)) {
+      IfDesc = (USB_INTERFACE_DESCRIPTOR *)((UINTN)IfDesc + IfDesc->Length);
+      continue;
+    }
+
     Dci = XhcInitializeEndpointContext64 (Xhc, SlotId, DeviceSpeed, InputContext, IfDesc);
     if (Dci > MaxDci) {
       MaxDci = Dci;
@@ -3261,7 +3281,7 @@ XhcSetInterface (
 
   IfDesc = (USB_INTERFACE_DESCRIPTOR *)(ConfigDesc + 1);
   while ((UINTN) IfDesc < ((UINTN) ConfigDesc + ConfigDesc->TotalLength)) {
-    if (IfDesc->DescriptorType == USB_DESC_TYPE_INTERFACE) {
+    if ((IfDesc->DescriptorType == USB_DESC_TYPE_INTERFACE) && (IfDesc->Length >= sizeof (USB_INTERFACE_DESCRIPTOR))) {
       if (IfDesc->InterfaceNumber == (UINT8) Request->Index) {
         if (IfDesc->AlternateSetting == Xhc->UsbDevContext[SlotId].ActiveAlternateSetting[IfDesc->InterfaceNumber]) {
           //
@@ -3301,6 +3321,11 @@ XhcSetInterface (
         EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length);
       }
 
+      if (EpDesc->Length < sizeof (USB_ENDPOINT_DESCRIPTOR)) {
+        EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length);
+        continue;
+      }
+
       EpAddr    = (UINT8) (EpDesc->EndpointAddress & 0x0F);
       Direction = (UINT8) ((EpDesc->EndpointAddress & 0x80) ? EfiUsbDataIn : EfiUsbDataOut);
 
@@ -3458,7 +3483,7 @@ XhcSetInterface64 (
 
   IfDesc = (USB_INTERFACE_DESCRIPTOR *)(ConfigDesc + 1);
   while ((UINTN) IfDesc < ((UINTN) ConfigDesc + ConfigDesc->TotalLength)) {
-    if (IfDesc->DescriptorType == USB_DESC_TYPE_INTERFACE) {
+    if ((IfDesc->DescriptorType == USB_DESC_TYPE_INTERFACE) && (IfDesc->Length >= sizeof (USB_INTERFACE_DESCRIPTOR))) {
       if (IfDesc->InterfaceNumber == (UINT8) Request->Index) {
         if (IfDesc->AlternateSetting == Xhc->UsbDevContext[SlotId].ActiveAlternateSetting[IfDesc->InterfaceNumber]) {
           //
@@ -3498,6 +3523,11 @@ XhcSetInterface64 (
         EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length);
       }
 
+      if (EpDesc->Length < sizeof (USB_ENDPOINT_DESCRIPTOR)) {
+        EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length);
+        continue;
+      }
+
       EpAddr    = (UINT8) (EpDesc->EndpointAddress & 0x0F);
       Direction = (UINT8) ((EpDesc->EndpointAddress & 0x80) ? EfiUsbDataIn : EfiUsbDataOut);
author	Feng Tian <feng.tian@intel.com>	2016-06-15 10:29:45 +0800
committer	Feng Tian <feng.tian@intel.com>	2016-06-29 10:37:22 +0800
commit	fd5d2dd2f55eedb3cf6001cc00587020c90411f5 (patch)
tree	1decdd11b7f304c141fa0844ecf7974e17ef5f7d /MdeModulePkg
parent	f89f1dbe5205f7bb7878a9e8b9149d3a6a894104 (diff)
download	edk2-platforms-fd5d2dd2f55eedb3cf6001cc00587020c90411f5.tar.xz