From 4de9d876477e4d93416a99a14bd730a1acdd0ae4 Mon Sep 17 00:00:00 2001
From: Feng Tian <feng.tian@intel.com>
Date: Tue, 19 Nov 2013 06:17:34 +0000
Subject: [PATCH] MdeModulePkg/UsbBus: Stop parsing descriptor if some of
 descriptor fields are invalid.

Signed-off-by: Feng Tian <feng.tian@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>


git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@14863 6f19259b-4bc3-4df7-8a09-765794883524
---
 MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c | 32 +++++++++++++++---------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
index b2401ca40e..9687eb0bca 100644
--- a/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
+++ b/MdeModulePkg/Bus/Usb/UsbBusDxe/UsbDesc.c
@@ -142,15 +142,15 @@ UsbFreeDevDesc (
 VOID *
 UsbCreateDesc (
   IN  UINT8               *DescBuf,
-  IN  INTN                Len,
+  IN  UINTN               Len,
   IN  UINT8               Type,
-  OUT INTN                *Consumed
+  OUT UINTN               *Consumed
   )
 {
   USB_DESC_HEAD           *Head;
-  INTN                    DescLen;
-  INTN                    CtrlLen;
-  INTN                    Offset;
+  UINTN                   DescLen;
+  UINTN                   CtrlLen;
+  UINTN                   Offset;
   VOID                    *Desc;
 
   DescLen   = 0;
@@ -188,7 +188,15 @@ UsbCreateDesc (
 
   while ((Offset < Len) && (Head->Type != Type)) {
     Offset += Head->Len;
+    if (Len <= Offset) {
+      DEBUG (( EFI_D_ERROR, "UsbCreateDesc: met mal-format descriptor, Beyond boundary!\n"));
+      return NULL;
+    }
     Head    = (USB_DESC_HEAD*)(DescBuf + Offset);
+    if (Head->Len == 0) {
+      DEBUG (( EFI_D_ERROR, "UsbCreateDesc: met mal-format descriptor, Head->Len = 0!\n"));
+      return NULL;
+    }
   }
 
   if ((Len <= Offset)      || (Len < Offset + DescLen) ||
@@ -223,16 +231,16 @@ UsbCreateDesc (
 USB_INTERFACE_SETTING *
 UsbParseInterfaceDesc (
   IN  UINT8               *DescBuf,
-  IN  INTN                Len,
-  OUT INTN                *Consumed
+  IN  UINTN               Len,
+  OUT UINTN               *Consumed
   )
 {
   USB_INTERFACE_SETTING   *Setting;
   USB_ENDPOINT_DESC       *Ep;
   UINTN                   Index;
   UINTN                   NumEp;
-  INTN                    Used;
-  INTN                    Offset;
+  UINTN                   Used;
+  UINTN                   Offset;
 
   *Consumed = 0;
   Setting   = UsbCreateDesc (DescBuf, Len, USB_DESC_TYPE_INTERFACE, &Used);
@@ -265,7 +273,7 @@ UsbParseInterfaceDesc (
   //
   // Create the endpoints for this interface
   //
-  for (Index = 0; Index < NumEp; Index++) {
+  for (Index = 0; (Index < NumEp) && (Offset < Len); Index++) {
     Ep = UsbCreateDesc (DescBuf + Offset, Len - Offset, USB_DESC_TYPE_ENDPOINT, &Used);
 
     if (Ep == NULL) {
@@ -300,7 +308,7 @@ ON_ERROR:
 USB_CONFIG_DESC *
 UsbParseConfigDesc (
   IN UINT8                *DescBuf,
-  IN INTN                 Len
+  IN UINTN                Len
   )
 {
   USB_CONFIG_DESC         *Config;
@@ -308,7 +316,7 @@ UsbParseConfigDesc (
   USB_INTERFACE_DESC      *Interface;
   UINTN                   Index;
   UINTN                   NumIf;
-  INTN                    Consumed;
+  UINTN                   Consumed;
 
   ASSERT (DescBuf != NULL);
 
-- 
2.39.2