Today's implementation doesn't check whether the length of
descriptor is valid before using it.
The patch fixes this issue by syncing the similar fix to UsbBusDxe.
70c3c2370a2aefe71cf0f6c1a1e063f7d74e1d79
*MdeModulePkg/UsbBus: Reject descriptor whose length is bad
Additionally the patch also rejects the data when length is
larger than sizeof (PeiUsbDevice->ConfigurationData).
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
ConfigDesc = (EFI_USB_CONFIG_DESCRIPTOR *) PeiUsbDevice->ConfigurationData;\r
ConfigDescLength = ConfigDesc->TotalLength;\r
\r
+ //\r
+ // Reject if TotalLength even cannot cover itself.\r
+ //\r
+ if (ConfigDescLength < OFFSET_OF (EFI_USB_CONFIG_DESCRIPTOR, TotalLength) + sizeof (ConfigDesc->TotalLength)) {\r
+ return EFI_DEVICE_ERROR;\r
+ }\r
+\r
+ //\r
+ // Reject if TotalLength exceeds the PeiUsbDevice->ConfigurationData.\r
+ //\r
+ if (ConfigDescLength > sizeof (PeiUsbDevice->ConfigurationData)) {\r
+ return EFI_DEVICE_ERROR;\r
+ }\r
+\r
//\r
// Then we get the total descriptors for this configuration\r
//\r