From fd5d2dd2f55eedb3cf6001cc00587020c90411f5 Mon Sep 17 00:00:00 2001 From: Feng Tian Date: Wed, 15 Jun 2016 10:29:45 +0800 Subject: [PATCH] MdeModulePkg/XhciDxe:Fix usb desc length check logic Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Feng Tian Reviewed-by: Evgeny Yakovlev --- MdeModulePkg/Bus/Pci/XhciDxe/XhciSched.c | 34 ++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/MdeModulePkg/Bus/Pci/XhciDxe/XhciSched.c b/MdeModulePkg/Bus/Pci/XhciDxe/XhciSched.c index c25342dc1f..1130b6aac1 100644 --- a/MdeModulePkg/Bus/Pci/XhciDxe/XhciSched.c +++ b/MdeModulePkg/Bus/Pci/XhciDxe/XhciSched.c @@ -2596,6 +2596,11 @@ XhcInitializeEndpointContext ( EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length); } + if (EpDesc->Length < sizeof (USB_ENDPOINT_DESCRIPTOR)) { + EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length); + continue; + } + EpAddr = (UINT8)(EpDesc->EndpointAddress & 0x0F); Direction = (UINT8)((EpDesc->EndpointAddress & 0x80) ? EfiUsbDataIn : EfiUsbDataOut); @@ -2759,6 +2764,11 @@ XhcInitializeEndpointContext64 ( EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length); } + if (EpDesc->Length < sizeof (USB_ENDPOINT_DESCRIPTOR)) { + EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length); + continue; + } + EpAddr = (UINT8)(EpDesc->EndpointAddress & 0x0F); Direction = (UINT8)((EpDesc->EndpointAddress & 0x80) ? EfiUsbDataIn : EfiUsbDataOut); @@ -2928,6 +2938,11 @@ XhcSetConfigCmd ( IfDesc = (USB_INTERFACE_DESCRIPTOR *)((UINTN)IfDesc + IfDesc->Length); } + if (IfDesc->Length < sizeof (USB_INTERFACE_DESCRIPTOR)) { + IfDesc = (USB_INTERFACE_DESCRIPTOR *)((UINTN)IfDesc + IfDesc->Length); + continue; + } + Dci = XhcInitializeEndpointContext (Xhc, SlotId, DeviceSpeed, InputContext, IfDesc); if (Dci > MaxDci) { MaxDci = Dci; @@ -3013,6 +3028,11 @@ XhcSetConfigCmd64 ( IfDesc = (USB_INTERFACE_DESCRIPTOR *)((UINTN)IfDesc + IfDesc->Length); } + if (IfDesc->Length < sizeof (USB_INTERFACE_DESCRIPTOR)) { + IfDesc = (USB_INTERFACE_DESCRIPTOR *)((UINTN)IfDesc + IfDesc->Length); + continue; + } + Dci = XhcInitializeEndpointContext64 (Xhc, SlotId, DeviceSpeed, InputContext, IfDesc); if (Dci > MaxDci) { MaxDci = Dci; @@ -3261,7 +3281,7 @@ XhcSetInterface ( IfDesc = (USB_INTERFACE_DESCRIPTOR *)(ConfigDesc + 1); while ((UINTN) IfDesc < ((UINTN) ConfigDesc + ConfigDesc->TotalLength)) { - if (IfDesc->DescriptorType == USB_DESC_TYPE_INTERFACE) { + if ((IfDesc->DescriptorType == USB_DESC_TYPE_INTERFACE) && (IfDesc->Length >= sizeof (USB_INTERFACE_DESCRIPTOR))) { if (IfDesc->InterfaceNumber == (UINT8) Request->Index) { if (IfDesc->AlternateSetting == Xhc->UsbDevContext[SlotId].ActiveAlternateSetting[IfDesc->InterfaceNumber]) { // @@ -3301,6 +3321,11 @@ XhcSetInterface ( EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length); } + if (EpDesc->Length < sizeof (USB_ENDPOINT_DESCRIPTOR)) { + EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length); + continue; + } + EpAddr = (UINT8) (EpDesc->EndpointAddress & 0x0F); Direction = (UINT8) ((EpDesc->EndpointAddress & 0x80) ? EfiUsbDataIn : EfiUsbDataOut); @@ -3458,7 +3483,7 @@ XhcSetInterface64 ( IfDesc = (USB_INTERFACE_DESCRIPTOR *)(ConfigDesc + 1); while ((UINTN) IfDesc < ((UINTN) ConfigDesc + ConfigDesc->TotalLength)) { - if (IfDesc->DescriptorType == USB_DESC_TYPE_INTERFACE) { + if ((IfDesc->DescriptorType == USB_DESC_TYPE_INTERFACE) && (IfDesc->Length >= sizeof (USB_INTERFACE_DESCRIPTOR))) { if (IfDesc->InterfaceNumber == (UINT8) Request->Index) { if (IfDesc->AlternateSetting == Xhc->UsbDevContext[SlotId].ActiveAlternateSetting[IfDesc->InterfaceNumber]) { // @@ -3498,6 +3523,11 @@ XhcSetInterface64 ( EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length); } + if (EpDesc->Length < sizeof (USB_ENDPOINT_DESCRIPTOR)) { + EpDesc = (USB_ENDPOINT_DESCRIPTOR *)((UINTN)EpDesc + EpDesc->Length); + continue; + } + EpAddr = (UINT8) (EpDesc->EndpointAddress & 0x0F); Direction = (UINT8) ((EpDesc->EndpointAddress & 0x80) ? EfiUsbDataIn : EfiUsbDataOut); -- 2.39.2