From afe0e6bddf295d4514ab56cd76d5ec13a9c30b22 Mon Sep 17 00:00:00 2001 From: Jeremy Boone Date: Mon, 12 Feb 2018 17:56:36 -0500 Subject: Infineon TPM: Fix potential buffer overruns Ensure that the Infineon I2C and SPI TPM driver performs adequate validation of the length extracted from the TPM response header. This patch prevents integer underflow when the length was too small, which could lead to memory corruption. Signed-off-by: Jeremy Boone --- drivers/tpm/tpm_tis_infineon.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'drivers/tpm') diff --git a/drivers/tpm/tpm_tis_infineon.c b/drivers/tpm/tpm_tis_infineon.c index e3e20d8996..41b748e7a2 100644 --- a/drivers/tpm/tpm_tis_infineon.c +++ b/drivers/tpm/tpm_tis_infineon.c @@ -374,7 +374,8 @@ static int tpm_tis_i2c_recv(struct udevice *dev, u8 *buf, size_t count) { struct tpm_chip *chip = dev_get_priv(dev); int size = 0; - int expected, status; + int status; + unsigned int expected; int rc; status = tpm_tis_i2c_status(dev); @@ -394,7 +395,7 @@ static int tpm_tis_i2c_recv(struct udevice *dev, u8 *buf, size_t count) } expected = get_unaligned_be32(buf + TPM_RSP_SIZE_BYTE); - if ((size_t)expected > count) { + if ((size_t)expected > count || (size_t)expected < TPM_HEADER_SIZE) { debug("Error size=%x, expected=%x, count=%x\n", size, expected, count); return -ENOSPC; -- cgit v1.2.3