Infineon TPM: Fix potential buffer overruns

Ensure that the Infineon I2C and SPI TPM driver performs adequate validation of the length extracted from the TPM response header. This patch prevents integer underflow when the length was too small, which could lead to memory corruption. Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
author: Jeremy Boone <jeremy.boone@nccgroup.trust> 2018-02-12 17:56:36 -0500
committer: Tom Rini <trini@konsulko.com> 2018-03-05 10:05:36 -0500
commit: afe0e6bddf295d4514ab56cd76d5ec13a9c30b22 (patch)
tree: 64f93c651177185772dfde1398812d969e48913b /drivers
parent: 12e0ab327d1a6711ee40ac9ade2e189d1092e962 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/tpm/tpm_tis_infineon.c b/drivers/tpm/tpm_tis_infineon.c
index e3e20d89968..41b748e7a23 100644
--- a/drivers/tpm/tpm_tis_infineon.c
+++ b/drivers/tpm/tpm_tis_infineon.c
@@ -374,7 +374,8 @@ static int tpm_tis_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
 {
 	struct tpm_chip *chip = dev_get_priv(dev);
 	int size = 0;
-	int expected, status;
+	int status;
+	unsigned int expected;
 	int rc;
 
 	status = tpm_tis_i2c_status(dev);
@@ -394,7 +395,7 @@ static int tpm_tis_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
 	}
 
 	expected = get_unaligned_be32(buf + TPM_RSP_SIZE_BYTE);
-	if ((size_t)expected > count) {
+	if ((size_t)expected > count || (size_t)expected < TPM_HEADER_SIZE) {
 		debug("Error size=%x, expected=%x, count=%x\n", size, expected,
 		      count);
 		return -ENOSPC;
author	Jeremy Boone <jeremy.boone@nccgroup.trust>	2018-02-12 17:56:36 -0500
committer	Tom Rini <trini@konsulko.com>	2018-03-05 10:05:36 -0500
commit	afe0e6bddf295d4514ab56cd76d5ec13a9c30b22 (patch)
tree	64f93c651177185772dfde1398812d969e48913b /drivers
parent	12e0ab327d1a6711ee40ac9ade2e189d1092e962 (diff)