Atmel TPM: Fix potential buffer overruns
Ensure that the Atmel TPM driver performs sufficient
validation of the length returned in the TPM response header.
This patch prevents memory corruption if the header contains a
length value that is larger than the destination buffer.
Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
diff --git a/drivers/tpm/tpm_atmel_twi.c b/drivers/tpm/tpm_atmel_twi.c
index eba654b..4fd772d 100644
--- a/drivers/tpm/tpm_atmel_twi.c
+++ b/drivers/tpm/tpm_atmel_twi.c
@@ -106,13 +106,23 @@
udelay(100);
}
if (!res) {
- *recv_len = get_unaligned_be32(recvbuf + 2);
- if (*recv_len > 10)
+ unsigned int hdr_recv_len;
+ hdr_recv_len = get_unaligned_be32(recvbuf + 2);
+ if (hdr_recv_len < 10) {
+ puts("tpm response header too small\n");
+ return -1;
+ } else if (hdr_recv_len > *recv_len) {
+ puts("tpm response length is bigger than receive buffer\n");
+ return -1;
+ } else {
+ *recv_len = hdr_recv_len;
#ifndef CONFIG_DM_I2C
res = i2c_read(0x29, 0, 0, recvbuf, *recv_len);
#else
res = dm_i2c_read(dev, 0, recvbuf, *recv_len);
#endif
+
+ }
}
if (res) {
printf("i2c_read returned %d (rlen=%d)\n", res, *recv_len);