diff options
| -rw-r--r-- | drivers/tpm/tpm_atmel_twi.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/drivers/tpm/tpm_atmel_twi.c b/drivers/tpm/tpm_atmel_twi.c index eba654b15dc..4fd772dc4fc 100644 --- a/drivers/tpm/tpm_atmel_twi.c +++ b/drivers/tpm/tpm_atmel_twi.c @@ -106,13 +106,23 @@ static int tpm_atmel_twi_xfer(struct udevice *dev, udelay(100); } if (!res) { - *recv_len = get_unaligned_be32(recvbuf + 2); - if (*recv_len > 10) + unsigned int hdr_recv_len; + hdr_recv_len = get_unaligned_be32(recvbuf + 2); + if (hdr_recv_len < 10) { + puts("tpm response header too small\n"); + return -1; + } else if (hdr_recv_len > *recv_len) { + puts("tpm response length is bigger than receive buffer\n"); + return -1; + } else { + *recv_len = hdr_recv_len; #ifndef CONFIG_DM_I2C res = i2c_read(0x29, 0, 0, recvbuf, *recv_len); #else res = dm_i2c_read(dev, 0, recvbuf, *recv_len); #endif + + } } if (res) { printf("i2c_read returned %d (rlen=%d)\n", res, *recv_len); |