Check the size of the response before accessing data in the response packet. This is to avoid accessing data beyond the end of the response.
Signed-off-by: Stefan Berger <[email protected]> --- drivers/char/tpm/tpm2-cmd.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 4bcda2b..f55e876 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -689,6 +689,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, u16 data_len; u8 *data; int rc; + u32 rlength; rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_UNSEAL); if (rc) @@ -708,8 +709,19 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, rc = -EPERM; if (!rc) { + rlength = be32_to_cpu(((struct tpm2_cmd *)&buf) + ->header.out.length); + if (rlength < TPM_HEADER_SIZE + 4 + 2) { + rc = -EFAULT; + goto out; + } data_len = be16_to_cpup( (__be16 *) &buf.data[TPM_HEADER_SIZE + 4]); + + if (rlength < TPM_HEADER_SIZE + 4 + 2 + data_len) { + rc = -EFAULT; + goto out; + } data = &buf.data[TPM_HEADER_SIZE + 6]; memcpy(payload->key, data, data_len - 1); @@ -717,6 +729,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, payload->migratable = data[data_len - 1]; } +out: tpm_buf_destroy(&buf); return rc; } -- 2.4.3 ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ tpmdd-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
