summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Boone <jeremy.boone@nccgroup.trust>2018-02-12 17:56:35 -0500
committerTom Rini <trini@konsulko.com>2018-03-05 10:05:36 -0500
commit12e0ab327d1a6711ee40ac9ade2e189d1092e962 (patch)
tree5a7da278ab5236ee86d2947227bf0c8a86bf01f5
parent77bba970e2372b01156c66585db3d6fc751c7178 (diff)
downloadu-boot-12e0ab327d1a6711ee40ac9ade2e189d1092e962.tar.gz
STMicro TPM: Fix potential buffer overruns
This patch prevents integer underflow when the length was too small, which could lead to memory corruption. Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
-rw-r--r--drivers/tpm/tpm_tis_st33zp24_i2c.c5
-rw-r--r--drivers/tpm/tpm_tis_st33zp24_spi.c5
2 files changed, 6 insertions, 4 deletions
diff --git a/drivers/tpm/tpm_tis_st33zp24_i2c.c b/drivers/tpm/tpm_tis_st33zp24_i2c.c
index c8d01254d2..245218fc07 100644
--- a/drivers/tpm/tpm_tis_st33zp24_i2c.c
+++ b/drivers/tpm/tpm_tis_st33zp24_i2c.c
@@ -303,7 +303,8 @@ static int st33zp24_i2c_recv_data(struct udevice *dev, u8 *buf, size_t count)
static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
{
struct tpm_chip *chip = dev_get_priv(dev);
- int size, expected;
+ int size;
+ unsigned int expected;
if (!chip)
return -ENODEV;
@@ -320,7 +321,7 @@ static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
}
expected = get_unaligned_be32(buf + 2);
- if (expected > count) {
+ if (expected > count || expected < TPM_HEADER_SIZE) {
size = -EIO;
goto out;
}
diff --git a/drivers/tpm/tpm_tis_st33zp24_spi.c b/drivers/tpm/tpm_tis_st33zp24_spi.c
index dcf55ee03a..c4c5e05286 100644
--- a/drivers/tpm/tpm_tis_st33zp24_spi.c
+++ b/drivers/tpm/tpm_tis_st33zp24_spi.c
@@ -431,7 +431,8 @@ static int st33zp24_spi_recv_data(struct udevice *dev, u8 *buf, size_t count)
static int st33zp24_spi_recv(struct udevice *dev, u8 *buf, size_t count)
{
struct tpm_chip *chip = dev_get_priv(dev);
- int size, expected;
+ int size;
+ unsigned int expected;
if (!chip)
return -ENODEV;
@@ -448,7 +449,7 @@ static int st33zp24_spi_recv(struct udevice *dev, u8 *buf, size_t count)
}
expected = get_unaligned_be32(buf + 2);
- if (expected > count) {
+ if (expected > count || expected < TPM_HEADER_SIZE) {
size = -EIO;
goto out;
}