@@ -689,6 +689,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
u16 data_len;
u8 *data;
int rc;
+ u32 rlength;
rc = tpm_buf_init(&buf, TPM2_ST_SESSIONS, TPM2_CC_UNSEAL);
if (rc)
@@ -708,8 +709,19 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
rc = -EPERM;
if (!rc) {
+ rlength = be32_to_cpu(((struct tpm2_cmd *)&buf)
+ ->header.out.length);
+ if (rlength < TPM_HEADER_SIZE + 4 + 2) {
+ rc = -EFAULT;
+ goto out;
+ }
data_len = be16_to_cpup(
(__be16 *) &buf.data[TPM_HEADER_SIZE + 4]);
+
+ if (rlength < TPM_HEADER_SIZE + 4 + 2 + data_len) {
+ rc = -EFAULT;
+ goto out;
+ }
data = &buf.data[TPM_HEADER_SIZE + 6];
memcpy(payload->key, data, data_len - 1);
@@ -717,6 +729,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip,
payload->migratable = data[data_len - 1];
}
+out:
tpm_buf_destroy(&buf);
return rc;
}
Check the size of the response before accessing data in the response packet. This is to avoid accessing data beyond the end of the response. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> --- drivers/char/tpm/tpm2-cmd.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)