On Tue, Jan 10, 2017 at 09:18:13AM -0500, Stefan Berger wrote: > Check the size of the response before accessing data in the > response packet. This is to avoid accessing data beyond the > end of the response.
IMHO you should chnage the signature for tpm_transmit_cmd to be: ssize_t tpm_transmit_cmd(struct tpm_chip *chip, void *iobuf, size_t tx_len, size_t min_rx_len, unsigned int flags, const char *desc); And then fold this repeated: > rc = tpm_transmit_cmd(chip, &cmd, sizeof(cmd), 0, > "attempting to read a pcr value"); > + if (rc == 0 && > + be32_to_cpu(cmd.header.out.length) < TPM2_PCR_READ_OUT_SIZE) > + return -EFAULT; test into tpm_transmit_cmd and now we require every single caller to specify the minimum command length. You can fold all of that into one patch, IMHO. Easier for stable. Jason ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ tpmdd-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
