From: Jeremy Boone <jeremy.boone@nccgroup.trust>

This patch prevents integer underflow when the length was too small,
which could lead to memory corruption.

Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
---
 drivers/tpm/tpm_tis_st33zp24_i2c.c | 5 +++--
 drivers/tpm/tpm_tis_st33zp24_spi.c | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/tpm/tpm_tis_st33zp24_i2c.c 
b/drivers/tpm/tpm_tis_st33zp24_i2c.c
index c8d0125..245218f 100644
--- a/drivers/tpm/tpm_tis_st33zp24_i2c.c
+++ b/drivers/tpm/tpm_tis_st33zp24_i2c.c
@@ -303,7 +303,8 @@ static int st33zp24_i2c_recv_data(struct udevice *dev, u8 
*buf, size_t count)
 static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
 {
        struct tpm_chip *chip = dev_get_priv(dev);
-       int size, expected;
+       int size;
+       unsigned int expected;
 
        if (!chip)
                return -ENODEV;
@@ -320,7 +321,7 @@ static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, 
size_t count)
        }
 
        expected = get_unaligned_be32(buf + 2);
-       if (expected > count) {
+       if (expected > count || expected < TPM_HEADER_SIZE) {
                size = -EIO;
                goto out;
        }
diff --git a/drivers/tpm/tpm_tis_st33zp24_spi.c 
b/drivers/tpm/tpm_tis_st33zp24_spi.c
index dcf55ee..c4c5e05 100644
--- a/drivers/tpm/tpm_tis_st33zp24_spi.c
+++ b/drivers/tpm/tpm_tis_st33zp24_spi.c
@@ -431,7 +431,8 @@ static int st33zp24_spi_recv_data(struct udevice *dev, u8 
*buf, size_t count)
 static int st33zp24_spi_recv(struct udevice *dev, u8 *buf, size_t count)
 {
        struct tpm_chip *chip = dev_get_priv(dev);
-       int size, expected;
+       int size;
+       unsigned int expected;
 
        if (!chip)
                return -ENODEV;
@@ -448,7 +449,7 @@ static int st33zp24_spi_recv(struct udevice *dev, u8 *buf, 
size_t count)
        }
 
        expected = get_unaligned_be32(buf + 2);
-       if (expected > count) {
+       if (expected > count || expected < TPM_HEADER_SIZE) {
                size = -EIO;
                goto out;
        }
-- 
2.7.4

_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot

Reply via email to