leandrof/u-boot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Infineon TPM: Fix potential buffer overruns

Browse Source 
Ensure that the Infineon I2C and SPI TPM driver performs adequate
validation of the length extracted from the TPM response header.
This patch prevents integer underflow when the length was too small,
which could lead to memory corruption.

Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
This commit is contained in:
Jeremy Boone 2018-02-12 17:56:36 -05:00 committed by Tom Rini
parent 12e0ab327d
commit afe0e6bddf
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
drivers/tpm/tpm_tis_infineon.c
View File

@ -374,7 +374,8 @@ static int tpm_tis_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
{
struct tpm_chip *chip = dev_get_priv(dev);
int size = 0;
int expected, status;
int status;
unsigned int expected;
int rc;
status = tpm_tis_i2c_status(dev);
@ -394,7 +395,7 @@ static int tpm_tis_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
}
expected = get_unaligned_be32(buf + TPM_RSP_SIZE_BYTE);
if ((size_t)expected > count) {
if ((size_t)expected > count || (size_t)expected < TPM_HEADER_SIZE) {
debug("Error size=%x, expected=%x, count=%x\n", size, expected,
count);
return -ENOSPC;