MdeModulePkg/UsbBus: Reject descriptor whose length is bad

[mirror_edk2.git] / MdeModulePkg / Bus / Usb / UsbBusDxe / UsbDesc.c

diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
index 70442c57dabf211adc0b0cda64d86c849fd20f2c..9fc6422ab17ca84924df5f850dc91b23800e1238 100644 (file)
--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
+++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
@@ -772,6 +772,13 @@ UsbGetOneConfig (
 \r
   DEBUG (( EFI_D_INFO, "UsbGetOneConfig: total length is %d\n", Desc.TotalLength));\r
 \r
+  //\r
+  // Reject if TotalLength even cannot cover itself.\r
+  //\r
+  if (Desc.TotalLength < OFFSET_OF (EFI_USB_CONFIG_DESCRIPTOR, TotalLength) + sizeof (Desc.TotalLength)) {\r
+    return NULL;\r
+  }\r
+\r
   Buf = AllocateZeroPool (Desc.TotalLength);\r
 \r
   if (Buf == NULL) {\r