From: Jeremy Boone <jeremy.boone@nccgroup.trust>

Ensure that the Atmel TPM driver performs sufficient
validation of the length returned in the TPM response header.
This patch prevents memory corruption if the header contains a
length value that is larger than the destination buffer.

Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
---
 drivers/tpm/tpm_atmel_twi.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/tpm/tpm_atmel_twi.c b/drivers/tpm/tpm_atmel_twi.c
index eba654b..4fd772d 100644
--- a/drivers/tpm/tpm_atmel_twi.c
+++ b/drivers/tpm/tpm_atmel_twi.c
@@ -106,13 +106,23 @@ static int tpm_atmel_twi_xfer(struct udevice *dev,
                udelay(100);
        }
        if (!res) {
-               *recv_len = get_unaligned_be32(recvbuf + 2);
-               if (*recv_len > 10)
+               unsigned int hdr_recv_len;
+               hdr_recv_len = get_unaligned_be32(recvbuf + 2);
+               if (hdr_recv_len < 10) {
+                       puts("tpm response header too small\n");
+                       return -1;
+               } else if (hdr_recv_len > *recv_len) {
+                       puts("tpm response length is bigger than receive 
buffer\n");
+                       return -1;
+               } else {
+                       *recv_len = hdr_recv_len;
 #ifndef CONFIG_DM_I2C
                        res = i2c_read(0x29, 0, 0, recvbuf, *recv_len);
 #else
                        res = dm_i2c_read(dev, 0, recvbuf, *recv_len);
 #endif
+
+               }
        }
        if (res) {
                printf("i2c_read returned %d (rlen=%d)\n", res, *recv_len);
-- 
2.7.4

_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot

Reply via email to