[usb] Avoid integer underflow on malformed string descriptors

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2020-10-01 18:26:37 +01:00 · 2020-10-01 18:26:37 +01:00 · 7c6fdf57ea
parent 7151fa3ffa
commit 7c6fdf57ea
1 changed files with 8 additions and 1 deletions
--- a/src/drivers/bus/usb.c
+++ b/src/drivers/bus/usb.c
@ -913,9 +913,15 @@ int usb_get_string_descriptor ( struct usb_device *usb, unsigned int index,
 					 sizeof ( *desc ) ) ) != 0 )
 		goto err_get_descriptor;

-	/* Copy to buffer */
+	/* Calculate string length */
+	if ( desc->header.len < sizeof ( desc->header ) ) {
+		rc = -EINVAL;
+		goto err_len;
+	}
 	actual = ( ( desc->header.len - sizeof ( desc->header ) ) /
 		   sizeof ( desc->character[0] ) );
+
+	/* Copy to buffer */
 	for ( i = 0 ; ( ( i < actual ) && ( i < max ) ) ; i++ )
 		buf[i] = le16_to_cpu ( desc->character[i] );
 	if ( len )
@ -926,6 +932,7 @@ int usb_get_string_descriptor ( struct usb_device *usb, unsigned int index,

 	return actual;

+ err_len:
 err_get_descriptor:
 	free ( desc );
 err_alloc: