MdeModulePkg/UsbBus: Deny when the string descriptor length is odd

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>

diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
index 9fc6422ab17ca84924df5f850dc91b23800e1238..22b6a9d661139a73af49938ad1cbe16679b9eda2 100644 (file)
--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
+++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
@@ -655,7 +655,13 @@ UsbGetOneString (
   //\r
   Status = UsbCtrlGetDesc (UsbDev, USB_DESC_TYPE_STRING, Index, LangId, &Desc, 2);\r
 \r
-  if (EFI_ERROR (Status)) {\r
+  //\r
+  // Reject if Length even cannot cover itself, or odd because Unicode string byte length should be even.\r
+  //\r
+  if (EFI_ERROR (Status) || \r
+      (Desc.Length < OFFSET_OF (EFI_USB_STRING_DESCRIPTOR, Length) + sizeof (Desc.Length)) ||\r
+      (Desc.Length % 2 != 0)\r
+    ) {\r
     return NULL;\r
   }\r
 \r