narenas
/
opengnsys_ipxe
mirror of https://github.com/ipxe/ipxe.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[efi] Avoid integer underflow on malformed USB string descriptors 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
pull/154/head
Michael Brown 2020-10-01 18:33:12 +01:00
parent 7c6fdf57ea
commit 02280dc642
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/interface/efi/efi_usb.c
View File

@ -981,6 +981,12 @@ efi_usb_get_string_descriptor ( EFI_USB_IO_PROTOCOL *usbio, UINT16 language,
goto err_get_header;
}
len = header.len;
if ( len < sizeof ( header ) ) {
DBGC ( usbdev, "USBDEV %s underlength string %d:%d\n",
usbintf->name, language, index );
rc = -EINVAL;
goto err_len;
}
/* Allocate buffer */
if ( ( efirc = bs->AllocatePool ( EfiBootServicesData, len,
@ -1014,6 +1020,7 @@ efi_usb_get_string_descriptor ( EFI_USB_IO_PROTOCOL *usbio, UINT16 language,
err_get_descriptor:
bs->FreePool ( buffer );
err_alloc:
err_len:
err_get_header:
bs->RestoreTPL ( saved_tpl );
return EFIRC ( rc );