Message ID | 20210514014011.2832707-11-sjg@chromium.org |
---|---|
State | Accepted |
Commit | fdfae3727ce2d862c5b7d98106c987202d190712 |
Delegated to: | Tom Rini |
Headers | show |
Series | [v2,01/16] sandbox: net: Ensure host name is always a valid string | expand |
On Thu, May 13, 2021 at 07:39:29PM -0600, Simon Glass wrote: > In tpm_sendrecv_command() the command buffer is passed in. If a mistake is > somehow made in setting this up, the size could be out of range. Add a > sanity check for this. > > Signed-off-by: Simon Glass <sjg@chromium.org> > Reported-by: Coverity (CID: 331152) Applied to u-boot/master, thanks!
diff --git a/lib/tpm-common.c b/lib/tpm-common.c index 4277846fdd0..82ffdc5341b 100644 --- a/lib/tpm-common.c +++ b/lib/tpm-common.c @@ -176,6 +176,11 @@ u32 tpm_sendrecv_command(struct udevice *dev, const void *command, } size = tpm_command_size(command); + + /* sanity check, which also helps coverity */ + if (size > COMMAND_BUFFER_SIZE) + return log_msg_ret("size", -E2BIG); + log_debug("TPM request [size:%d]: ", size); for (i = 0; i < size; i++) log_debug("%02x ", ((u8 *)command)[i]);
In tpm_sendrecv_command() the command buffer is passed in. If a mistake is somehow made in setting this up, the size could be out of range. Add a sanity check for this. Signed-off-by: Simon Glass <sjg@chromium.org> Reported-by: Coverity (CID: 331152) --- (no changes since v1) lib/tpm-common.c | 5 +++++ 1 file changed, 5 insertions(+)