From: Michael Brown <mcb30@ipxe.org>
Date: Thu, 1 Oct 2020 17:26:37 +0000 (+0100)
Subject: [usb] Avoid integer underflow on malformed string descriptors
X-Git-Tag: v1.21.1~91
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7c6fdf57eadb382fc86719daf79c7afa78ace530;p=thirdparty%2Fipxe.git

[usb] Avoid integer underflow on malformed string descriptors

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---

diff --git a/src/drivers/bus/usb.c b/src/drivers/bus/usb.c
index fca47fd36..14eabb6b4 100644
--- a/src/drivers/bus/usb.c
+++ b/src/drivers/bus/usb.c
@@ -913,9 +913,15 @@ int usb_get_string_descriptor ( struct usb_device *usb, unsigned int index,
 					 sizeof ( *desc ) ) ) != 0 )
 		goto err_get_descriptor;
 
-	/* Copy to buffer */
+	/* Calculate string length */
+	if ( desc->header.len < sizeof ( desc->header ) ) {
+		rc = -EINVAL;
+		goto err_len;
+	}
 	actual = ( ( desc->header.len - sizeof ( desc->header ) ) /
 		   sizeof ( desc->character[0] ) );
+
+	/* Copy to buffer */
 	for ( i = 0 ; ( ( i < actual ) && ( i < max ) ) ; i++ )
 		buf[i] = le16_to_cpu ( desc->character[i] );
 	if ( len )
@@ -926,6 +932,7 @@ int usb_get_string_descriptor ( struct usb_device *usb, unsigned int index,
 
 	return actual;
 
+ err_len:
  err_get_descriptor:
 	free ( desc );
  err_alloc: