Atmel TPM: Fix potential buffer overruns
authorJeremy Boone <jeremy.boone@nccgroup.trust>
Mon, 12 Feb 2018 22:56:37 +0000 (17:56 -0500)
committerTom Rini <trini@konsulko.com>
Mon, 5 Mar 2018 15:05:36 +0000 (10:05 -0500)
Ensure that the Atmel TPM driver performs sufficient
validation of the length returned in the TPM response header.
This patch prevents memory corruption if the header contains a
length value that is larger than the destination buffer.

Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
drivers/tpm/tpm_atmel_twi.c

index eba654b15dcad4d85fa06e9396be4147888ea1c4..4fd772dc4fcb82aac741552204cbca52dffbb1b7 100644 (file)
@@ -106,13 +106,23 @@ static int tpm_atmel_twi_xfer(struct udevice *dev,
                udelay(100);
        }
        if (!res) {
-               *recv_len = get_unaligned_be32(recvbuf + 2);
-               if (*recv_len > 10)
+               unsigned int hdr_recv_len;
+               hdr_recv_len = get_unaligned_be32(recvbuf + 2);
+               if (hdr_recv_len < 10) {
+                       puts("tpm response header too small\n");
+                       return -1;
+               } else if (hdr_recv_len > *recv_len) {
+                       puts("tpm response length is bigger than receive buffer\n");
+                       return -1;
+               } else {
+                       *recv_len = hdr_recv_len;
 #ifndef CONFIG_DM_I2C
                        res = i2c_read(0x29, 0, 0, recvbuf, *recv_len);
 #else
                        res = dm_i2c_read(dev, 0, recvbuf, *recv_len);
 #endif
+
+               }
        }
        if (res) {
                printf("i2c_read returned %d (rlen=%d)\n", res, *recv_len);