| Message ID | 1484057900-17871-6-git-send-email-stefanb@linux.vnet.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c index 57bb774..4bcda2b 100644 --- a/drivers/char/tpm/tpm2-cmd.c +++ b/drivers/char/tpm/tpm2-cmd.c @@ -618,6 +618,9 @@ static int tpm2_load_cmd(struct tpm_chip *chip, } rc = tpm_transmit_cmd(chip, buf.data, PAGE_SIZE, flags, "loading blob"); + if (!rc && be32_to_cpu(((struct tpm2_cmd *)&buf)->header.out.length) < + TPM_HEADER_SIZE + 4) + rc = -EFAULT; if (!rc) *blob_handle = be32_to_cpup( (__be32 *) &buf.data[TPM_HEADER_SIZE]);
Check the size of the response before accessing data in the response packet. This is to avoid accessing data beyond the end of the response. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> --- drivers/char/tpm/tpm2-cmd.c | 3 +++ 1 file changed, 3 insertions(+)