MdeModulePkg/UsbBusPei: Reject descriptor whose length is bad

[mirror_edk2.git] / MdeModulePkg / Bus / Usb / UsbBusPei / UsbPeim.c

diff --git a/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c b/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
index 86734f2f7362b4bc0c9f25705e8c9d65086bb2c8..c31247abfe5a851ea65801c4994cc7777fbde180 100644 (file)
--- a/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
+++ b/MdeModulePkg/Bus/Usb/UsbBusPei/UsbPeim.c
@@ -816,6 +816,20 @@ PeiUsbGetAllConfiguration (
   ConfigDesc        = (EFI_USB_CONFIG_DESCRIPTOR *) PeiUsbDevice->ConfigurationData;\r
   ConfigDescLength  = ConfigDesc->TotalLength;\r
 \r
+  //\r
+  // Reject if TotalLength even cannot cover itself.\r
+  //\r
+  if (ConfigDescLength < OFFSET_OF (EFI_USB_CONFIG_DESCRIPTOR, TotalLength) + sizeof (ConfigDesc->TotalLength)) {\r
+    return EFI_DEVICE_ERROR;\r
+  }\r
+\r
+  //\r
+  // Reject if TotalLength exceeds the PeiUsbDevice->ConfigurationData.\r
+  //\r
+  if (ConfigDescLength > sizeof (PeiUsbDevice->ConfigurationData)) {\r
+    return EFI_DEVICE_ERROR;\r
+  }\r
+\r
   //\r
   // Then we get the total descriptors for this configuration\r
   //\r