Atmel TPM: Fix potential buffer overruns

Ensure that the Atmel TPM driver performs sufficient validation of the length returned in the TPM response header. This patch prevents memory corruption if the header contains a length value that is larger than the destination buffer. Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
author: Jeremy Boone <jeremy.boone@nccgroup.trust> 2018-02-12 17:56:37 -0500
committer: Tom Rini <trini@konsulko.com> 2018-03-05 10:05:36 -0500
commit: b3f40703408e57cad492802b777448a068b1f671 (patch)
tree: f70dbe24a583f0f794a5eefffeae66716d382c13 /drivers/tpm
parent: afe0e6bddf295d4514ab56cd76d5ec13a9c30b22 (diff)
1 files changed, 12 insertions, 2 deletions
diff --git a/drivers/tpm/tpm_atmel_twi.c b/drivers/tpm/tpm_atmel_twi.c
index eba654b15d..4fd772dc4f 100644
--- a/drivers/tpm/tpm_atmel_twi.c
+++ b/drivers/tpm/tpm_atmel_twi.c
@@ -106,13 +106,23 @@ static int tpm_atmel_twi_xfer(struct udevice *dev,
 		udelay(100);
 	}
 	if (!res) {
-		*recv_len = get_unaligned_be32(recvbuf + 2);
-		if (*recv_len > 10)
+		unsigned int hdr_recv_len;
+		hdr_recv_len = get_unaligned_be32(recvbuf + 2);
+		if (hdr_recv_len < 10) {
+			puts("tpm response header too small\n");
+			return -1;
+		} else if (hdr_recv_len > *recv_len) {
+			puts("tpm response length is bigger than receive buffer\n");
+			return -1;
+		} else {
+			*recv_len = hdr_recv_len;
 #ifndef CONFIG_DM_I2C
 			res = i2c_read(0x29, 0, 0, recvbuf, *recv_len);
 #else
 			res = dm_i2c_read(dev, 0, recvbuf, *recv_len);
 #endif
+
+		}
 	}
 	if (res) {
 		printf("i2c_read returned %d (rlen=%d)\n", res, *recv_len);
author	Jeremy Boone <jeremy.boone@nccgroup.trust>	2018-02-12 17:56:37 -0500
committer	Tom Rini <trini@konsulko.com>	2018-03-05 10:05:36 -0500
commit	b3f40703408e57cad492802b777448a068b1f671 (patch)
tree	f70dbe24a583f0f794a5eefffeae66716d382c13 /drivers/tpm
parent	afe0e6bddf295d4514ab56cd76d5ec13a9c30b22 (diff)