From 02280dc642907b908f4b5c7e0d82d8ad1d51d574 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Thu, 1 Oct 2020 18:33:12 +0100
Subject: [PATCH] [efi] Avoid integer underflow on malformed USB string
 descriptors

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/interface/efi/efi_usb.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/interface/efi/efi_usb.c b/src/interface/efi/efi_usb.c
index bac2d053a..a8c274a57 100644
--- a/src/interface/efi/efi_usb.c
+++ b/src/interface/efi/efi_usb.c
@@ -981,6 +981,12 @@ efi_usb_get_string_descriptor ( EFI_USB_IO_PROTOCOL *usbio, UINT16 language,
 		goto err_get_header;
 	}
 	len = header.len;
+	if ( len < sizeof ( header ) ) {
+		DBGC ( usbdev, "USBDEV %s underlength string %d:%d\n",
+		       usbintf->name, language, index );
+		rc = -EINVAL;
+		goto err_len;
+	}
 
 	/* Allocate buffer */
 	if ( ( efirc = bs->AllocatePool ( EfiBootServicesData, len,
@@ -1014,6 +1020,7 @@ efi_usb_get_string_descriptor ( EFI_USB_IO_PROTOCOL *usbio, UINT16 language,
  err_get_descriptor:
 	bs->FreePool ( buffer );
  err_alloc:
+ err_len:
  err_get_header:
 	bs->RestoreTPL ( saved_tpl );
 	return EFIRC ( rc );