STMicro TPM: Fix potential buffer overruns

This patch prevents integer underflow when the length was too small, which could lead to memory corruption. Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
6 years ago · 12e0ab327d
parent 77bba970e2
commit 12e0ab327d
2 changed files with 6 additions and 4 deletions
--- a/drivers/tpm/tpm_tis_st33zp24_i2c.c
+++ b/drivers/tpm/tpm_tis_st33zp24_i2c.c
@ -303,7 +303,8 @@ static int st33zp24_i2c_recv_data(struct udevice *dev, u8 *buf, size_t count)
 static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
 {
 	struct tpm_chip *chip = dev_get_priv(dev);
-	int size, expected;
+	int size;
+	unsigned int expected;

 	if (!chip)
 		return -ENODEV;
@ -320,7 +321,7 @@ static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
 	}

 	expected = get_unaligned_be32(buf + 2);
-	if (expected > count) {
+	if (expected > count || expected < TPM_HEADER_SIZE) {
 		size = -EIO;
 		goto out;
 	}
--- a/drivers/tpm/tpm_tis_st33zp24_spi.c
+++ b/drivers/tpm/tpm_tis_st33zp24_spi.c
@ -431,7 +431,8 @@ static int st33zp24_spi_recv_data(struct udevice *dev, u8 *buf, size_t count)
 static int st33zp24_spi_recv(struct udevice *dev, u8 *buf, size_t count)
 {
 	struct tpm_chip *chip = dev_get_priv(dev);
-	int size, expected;
+	int size;
+	unsigned int expected;

 	if (!chip)
 		return -ENODEV;
@ -448,7 +449,7 @@ static int st33zp24_spi_recv(struct udevice *dev, u8 *buf, size_t count)
 	}

 	expected = get_unaligned_be32(buf + 2);
-	if (expected > count) {
+	if (expected > count || expected < TPM_HEADER_SIZE) {
 		size = -EIO;
 		goto out;
 	}