[efi] Avoid integer underflow on malformed USB string descriptors

Signed-off-by: Michael Brown <mcb30@ipxe.org>
author: Michael Brown <mcb30@ipxe.org> 2020-10-01 18:33:12 +0100
committer: Michael Brown <mcb30@ipxe.org> 2020-10-01 23:27:53 +0100
commit: 02280dc642907b908f4b5c7e0d82d8ad1d51d574 (patch)
tree: ebaf569d7d0e8aa15d0040a61486063666b6db3e
parent: 7c6fdf57eadb382fc86719daf79c7afa78ace530 (diff)
download: ipxe-02280dc642907b908f4b5c7e0d82d8ad1d51d574.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/src/interface/efi/efi_usb.c b/src/interface/efi/efi_usb.c
index bac2d053a..a8c274a57 100644
--- a/src/interface/efi/efi_usb.c
+++ b/src/interface/efi/efi_usb.c
@@ -981,6 +981,12 @@ efi_usb_get_string_descriptor ( EFI_USB_IO_PROTOCOL *usbio, UINT16 language,
 		goto err_get_header;
 	}
 	len = header.len;
+	if ( len < sizeof ( header ) ) {
+		DBGC ( usbdev, "USBDEV %s underlength string %d:%d\n",
+		       usbintf->name, language, index );
+		rc = -EINVAL;
+		goto err_len;
+	}
 
 	/* Allocate buffer */
 	if ( ( efirc = bs->AllocatePool ( EfiBootServicesData, len,
@@ -1014,6 +1020,7 @@ efi_usb_get_string_descriptor ( EFI_USB_IO_PROTOCOL *usbio, UINT16 language,
  err_get_descriptor:
 	bs->FreePool ( buffer );
  err_alloc:
+ err_len:
  err_get_header:
 	bs->RestoreTPL ( saved_tpl );
 	return EFIRC ( rc );
author	Michael Brown <mcb30@ipxe.org>	2020-10-01 18:33:12 +0100
committer	Michael Brown <mcb30@ipxe.org>	2020-10-01 23:27:53 +0100
commit	02280dc642907b908f4b5c7e0d82d8ad1d51d574 (patch)
tree	ebaf569d7d0e8aa15d0040a61486063666b6db3e
parent	7c6fdf57eadb382fc86719daf79c7afa78ace530 (diff)
download	ipxe-02280dc642907b908f4b5c7e0d82d8ad1d51d574.tar.gz