MdeModulePkg/UsbKb: Don't access key codes when length is wrong

Per USB HID spec, the buffer holding key codes should be 8-byte
long.
Today's code assumes that the key codes buffer length is 8-byte
long and unconditionally accesses the key codes buffer.
It's incorrect.
The patch fixes the issue by returning Device Error when the
length is less than 8-byte.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Steven Shi <steven.shi@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>

diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
index 9cb4b5db6b69984dcb9bad9d2a038f783b78115b..7505951c82953bd0b56bd72dc75b6cb1facbdd4f 100644 (file)
--- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
+++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
@@ -1059,6 +1059,10 @@ KeyboardHandler (
   // Byte 1 is reserved.\r
   // Bytes 2 to 7 are keycodes.\r
   //\r
+  if (DataLength < 8) {\r
+    return EFI_DEVICE_ERROR;\r
+  }\r
+\r
   CurKeyCodeBuffer  = (UINT8 *) Data;\r
   OldKeyCodeBuffer  = UsbKeyboardDevice->LastKeyCodeArray;\r
 \r