Check the size of the response before accessing data in the response packet. This is to avoid accessing data beyond the end of the response.
Signed-off-by: Stefan Berger <[email protected]> --- drivers/char/tpm/tpm-interface.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index f80df9c..1c04a2d 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -1059,7 +1059,7 @@ int tpm_get_random(u32 chip_num, u8 *out, size_t max) { struct tpm_chip *chip; struct tpm_cmd_t tpm_cmd; - u32 recd, num_bytes = min_t(u32, max, TPM_MAX_RNG_DATA); + u32 recd, num_bytes = min_t(u32, max, TPM_MAX_RNG_DATA), rlength; int err, total = 0, retries = 5; u8 *dest = out; @@ -1085,8 +1085,18 @@ int tpm_get_random(u32 chip_num, u8 *out, size_t max) 0, "attempting get random"); if (err) break; - + rlength = be32_to_cpu(tpm_cmd.header.out.length); + if (rlength < offsetof(struct tpm_cmd_t, + params.getrandom_out.rng_data)) { + total = -EFAULT; + break; + } recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len); + if (rlength < offsetof(struct tpm_cmd_t, + params.getrandom_out.rng_data) + recd) { + total = -EFAULT; + break; + } memcpy(dest, tpm_cmd.params.getrandom_out.rng_data, recd); dest += recd; -- 2.4.3 ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ tpmdd-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
