Defend against a broken TPM 1.2 or TPM 2.0 that doesn't send at least
a full response header in the response but less than 10 bytes.
Signed-off-by: Stefan Berger <stef...@linux.ibm.com>
---
src/hw/tpm_drivers.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/hw/tpm_drivers.c b/src/hw/tpm_drivers.c
index e4770b3..2b5753c 100644
--- a/src/hw/tpm_drivers.c
+++ b/src/hw/tpm_drivers.c
@@ -620,7 +620,8 @@ tpmhw_transmit(u8 locty, struct tpm_req_header *req,
return -1;
irc = td->readresp(respbuffer, respbufferlen);
- if (irc != 0)
+ if (irc != 0 ||
+ *respbufferlen < sizeof(struct tpm_rsp_header))
return -1;
td->ready();
--
2.20.1
_______________________________________________
SeaBIOS mailing list -- seabios@seabios.org
To unsubscribe send an email to seabios-le...@seabios.org
