[efi] Avoid integer underflow on malformed USB string descriptors

author Michael Brown <mcb30@ipxe.org>

Thu, 1 Oct 2020 17:33:12 +0000 (18:33 +0100)

committer Michael Brown <mcb30@ipxe.org>

Thu, 1 Oct 2020 22:27:53 +0000 (23:27 +0100)
author Michael Brown <mcb30@ipxe.org>
Thu, 1 Oct 2020 17:33:12 +0000 (18:33 +0100)
committer Michael Brown <mcb30@ipxe.org>
Thu, 1 Oct 2020 22:27:53 +0000 (23:27 +0100)
diff --git a/src/interface/efi/efi_usb.c b/src/interface/efi/efi_usb.c

index bac2d053af5b5dc4ac6b9c4022e59a3268c7ade0..a8c274a57b4929c070c65c938755e825e35138a6 100644 (file)
--- a/src/interface/efi/efi_usb.c
+++ b/src/interface/efi/efi_usb.c
@@ -981,6 +981,12 @@ efi_usb_get_string_descriptor ( EFI_USB_IO_PROTOCOL *usbio, UINT16 language,
                 goto err_get_header;
         }
         len = header.len;
+       if ( len < sizeof ( header ) ) {
+               DBGC ( usbdev, "USBDEV %s underlength string %d:%d\n",
+                      usbintf->name, language, index );
+               rc = -EINVAL;
+               goto err_len;
+       }
  
         /* Allocate buffer */
         if ( ( efirc = bs->AllocatePool ( EfiBootServicesData, len,
@@ -1014,6 +1020,7 @@ efi_usb_get_string_descriptor ( EFI_USB_IO_PROTOCOL *usbio, UINT16 language,
   err_get_descriptor:
         bs->FreePool ( buffer );
   err_alloc:
+ err_len:
   err_get_header:
         bs->RestoreTPL ( saved_tpl );
         return EFIRC ( rc );
author	Michael Brown <mcb30@ipxe.org>
	Thu, 1 Oct 2020 17:33:12 +0000 (18:33 +0100)
committer	Michael Brown <mcb30@ipxe.org>
	Thu, 1 Oct 2020 22:27:53 +0000 (23:27 +0100)