leandrof/u-boot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

STMicro TPM: Fix potential buffer overruns

Browse Source 
This patch prevents integer underflow when the length was too small,
which could lead to memory corruption.

Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
This commit is contained in:
Jeremy Boone 2018-02-12 17:56:35 -05:00 committed by Tom Rini
parent 77bba970e2
commit 12e0ab327d
2 changed files with 6 additions and 4 deletions

5
drivers/tpm/tpm_tis_st33zp24_i2c.c
View File

@ -303,7 +303,8 @@ static int st33zp24_i2c_recv_data(struct udevice *dev, u8 *buf, size_t count)
static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
{
struct tpm_chip *chip = dev_get_priv(dev);
int size, expected;
int size;
unsigned int expected;
if (!chip)
return -ENODEV;
@ -320,7 +321,7 @@ static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
}
expected = get_unaligned_be32(buf + 2);
if (expected > count) {
if (expected > count || expected < TPM_HEADER_SIZE) {
size = -EIO;
goto out;
}

5
drivers/tpm/tpm_tis_st33zp24_spi.c
View File

@ -431,7 +431,8 @@ static int st33zp24_spi_recv_data(struct udevice *dev, u8 *buf, size_t count)
static int st33zp24_spi_recv(struct udevice *dev, u8 *buf, size_t count)
{
struct tpm_chip *chip = dev_get_priv(dev);
int size, expected;
int size;
unsigned int expected;
if (!chip)
return -ENODEV;
@ -448,7 +449,7 @@ static int st33zp24_spi_recv(struct udevice *dev, u8 *buf, size_t count)
}
expected = get_unaligned_be32(buf + 2);
if (expected > count) {
if (expected > count || expected < TPM_HEADER_SIZE) {
size = -EIO;
goto out;
}