[tpmdd-devel,09/10] tpm: tpm_get_random: check size of response before accessing data
diff mbox

Message ID 1484057900-17871-9-git-send-email-stefanb@linux.vnet.ibm.com
State New
Headers show

Commit Message

Stefan Berger Jan. 10, 2017, 2:18 p.m. UTC
Check the size of the response before accessing data in the
response packet. This is to avoid accessing data beyond the
end of the response.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
---
 drivers/char/tpm/tpm-interface.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

Patch
diff mbox

diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index f80df9c..1c04a2d 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -1059,7 +1059,7 @@  int tpm_get_random(u32 chip_num, u8 *out, size_t max)
 {
 	struct tpm_chip *chip;
 	struct tpm_cmd_t tpm_cmd;
-	u32 recd, num_bytes = min_t(u32, max, TPM_MAX_RNG_DATA);
+	u32 recd, num_bytes = min_t(u32, max, TPM_MAX_RNG_DATA), rlength;
 	int err, total = 0, retries = 5;
 	u8 *dest = out;
 
@@ -1085,8 +1085,18 @@  int tpm_get_random(u32 chip_num, u8 *out, size_t max)
 				       0, "attempting get random");
 		if (err)
 			break;
-
+		rlength = be32_to_cpu(tpm_cmd.header.out.length);
+		if (rlength < offsetof(struct tpm_cmd_t,
+				       params.getrandom_out.rng_data)) {
+			total = -EFAULT;
+			break;
+		}
 		recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len);
+		if (rlength < offsetof(struct tpm_cmd_t,
+				       params.getrandom_out.rng_data) + recd) {
+			total = -EFAULT;
+			break;
+		}
 		memcpy(dest, tpm_cmd.params.getrandom_out.rng_data, recd);
 
 		dest += recd;