Atmel TPM: Fix potential buffer overruns

Ensure that the Atmel TPM driver performs sufficient validation of the length returned in the TPM response header. This patch prevents memory corruption if the header contains a length value that is larger than the destination buffer. Signed-off-by: N Jeremy Boone <jeremy.boone@nccgroup.trust>

Atmel TPM: Fix potential buffer overruns
Ensure that the Atmel TPM driver performs sufficient validation of the length returned in the TPM response header. This patch prevents memory corruption if the header contains a length value that is larger than the destination buffer. Signed-off-by: N Jeremy Boone <jeremy.boone@nccgroup.trust>
b3f40703 · Jeremy Boone · Tom Rini · afe0e6bd · b3f40703
隐藏空白更改
内联并排

Showing with 12 addition and 2 deletion

drivers/tpm/tpm_atmel_twi.c drivers/tpm/tpm_atmel_twi.c +12 -2

未找到文件。
--- a/drivers/tpm/tpm_atmel_twi.c
+++ b/drivers/tpm/tpm_atmel_twi.c
@@ -106,13 +106,23 @@ static int tpm_atmel_twi_xfer(struct udevice *dev,
 		udelay(100);
 	}
 	if (!res) {
-		*recv_len = get_unaligned_be32(recvbuf + 2);
-		if (*recv_len > 10)
+		unsigned int hdr_recv_len;
+		hdr_recv_len = get_unaligned_be32(recvbuf + 2);
+		if (hdr_recv_len < 10) {
+			puts("tpm response header too small\n");
+			return -1;
+		} else if (hdr_recv_len > *recv_len) {
+			puts("tpm response length is bigger than receive buffer\n");
+			return -1;
+		} else {
+			*recv_len = hdr_recv_len;
 #ifndef CONFIG_DM_I2C
 			res = i2c_read(0x29, 0, 0, recvbuf, *recv_len);
 #else
 			res = dm_i2c_read(dev, 0, recvbuf, *recv_len);
 #endif
+
+		}
 	}
 	if (res) {
 		printf("i2c_read returned %d (rlen=%d)\n", res, *recv_len);