[tpmdd-devel,06/10] tpm: tpm2_load_cmd: check size of response before accessing data
diff mbox

Message ID 1484057900-17871-6-git-send-email-stefanb@linux.vnet.ibm.com
State New
Headers show

Commit Message

Stefan Berger Jan. 10, 2017, 2:18 p.m. UTC
Check the size of the response before accessing data in the
response packet. This is to avoid accessing data beyond the
end of the response.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
---
 drivers/char/tpm/tpm2-cmd.c | 3 +++
 1 file changed, 3 insertions(+)

Patch
diff mbox

diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index 57bb774..4bcda2b 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -618,6 +618,9 @@  static int tpm2_load_cmd(struct tpm_chip *chip,
 	}
 
 	rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, flags, "loading blob");
+	if (!rc && be32_to_cpu(((struct tpm2_cmd *)&buf)->header.out.length) <
+                   TPM_HEADER_SIZE + 4)
+		rc = -EFAULT;
 	if (!rc)
 		*blob_handle = be32_to_cpup(
 			(__be32 *) &buf.data[TPM_HEADER_SIZE]);