sandbox: tpm: Correct handling of SANDBOX_TPM_PCR_NB
This is the number of PCRs, so the current check is off by one. Also the
map itself should not be checked, just the resulting pcr_index, to avoid
confusing people who read the code.
Fix these problems.
Signed-off-by: Simon Glass <sjg@chromium.org>
diff --git a/drivers/tpm/tpm2_tis_sandbox.c b/drivers/tpm/tpm2_tis_sandbox.c
index ed9c9a0..3c4bbcd 100644
--- a/drivers/tpm/tpm2_tis_sandbox.c
+++ b/drivers/tpm/tpm2_tis_sandbox.c
@@ -642,15 +642,8 @@
for (i = 0; i < pcr_array_sz; i++)
pcr_map += (u64)sent[i] << (i * 8);
- if (pcr_map >> SANDBOX_TPM_PCR_NB) {
- printf("Sandbox TPM handles up to %d PCR(s)\n",
- SANDBOX_TPM_PCR_NB);
- rc = TPM2_RC_VALUE;
- return sandbox_tpm2_fill_buf(recv, recv_len, tag, rc);
- }
-
if (!pcr_map) {
- printf("Empty PCR map.\n");
+ printf("Empty PCR map\n");
rc = TPM2_RC_VALUE;
return sandbox_tpm2_fill_buf(recv, recv_len, tag, rc);
}
@@ -659,6 +652,13 @@
if (pcr_map & BIT(i))
pcr_index = i;
+ if (pcr_index >= SANDBOX_TPM_PCR_NB) {
+ printf("Invalid index %d, sandbox TPM handles up to %d PCR(s)\n",
+ pcr_index, SANDBOX_TPM_PCR_NB);
+ rc = TPM2_RC_VALUE;
+ return sandbox_tpm2_fill_buf(recv, recv_len, tag, rc);
+ }
+
/* Write tag */
put_unaligned_be16(tag, recv);
recv += sizeof(tag);
@@ -692,9 +692,9 @@
pcr_index = get_unaligned_be32(sendbuf + sizeof(tag) +
sizeof(length) +
sizeof(command));
- if (pcr_index > SANDBOX_TPM_PCR_NB) {
- printf("Sandbox TPM handles up to %d PCR(s)\n",
- SANDBOX_TPM_PCR_NB);
+ if (pcr_index >= SANDBOX_TPM_PCR_NB) {
+ printf("Invalid index %d, sandbox TPM handles up to %d PCR(s)\n",
+ pcr_index, SANDBOX_TPM_PCR_NB);
rc = TPM2_RC_VALUE;
}