Check the size of the response before accessing data in the response packet. This is to avoid accessing data beyond the end of the response.
Signed-off-by: Stefan Berger <[email protected]> --- drivers/char/tpm/tpm2-cmd.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 57bb774..4bcda2b 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -618,6 +618,9 @@ static int tpm2_load_cmd(struct tpm_chip *chip, } rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, flags, "loading blob"); + if (!rc && be32_to_cpu(((struct tpm2_cmd *)&buf)->header.out.length) < + TPM_HEADER_SIZE + 4) + rc = -EFAULT; if (!rc) *blob_handle = be32_to_cpup( (__be32 *) &buf.data[TPM_HEADER_SIZE]); -- 2.4.3 ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ tpmdd-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
