@@ -1059,7 +1059,7 @@ int tpm_get_random(u32 chip_num, u8 *out, size_t max)
{
struct tpm_chip *chip;
struct tpm_cmd_t tpm_cmd;
- u32 recd, num_bytes = min_t(u32, max, TPM_MAX_RNG_DATA);
+ u32 recd, num_bytes = min_t(u32, max, TPM_MAX_RNG_DATA), rlength;
int err, total = 0, retries = 5;
u8 *dest = out;
@@ -1085,8 +1085,18 @@ int tpm_get_random(u32 chip_num, u8 *out, size_t max)
0, "attempting get random");
if (err)
break;
-
+ rlength = be32_to_cpu(tpm_cmd.header.out.length);
+ if (rlength < offsetof(struct tpm_cmd_t,
+ params.getrandom_out.rng_data)) {
+ total = -EFAULT;
+ break;
+ }
recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len);
+ if (rlength < offsetof(struct tpm_cmd_t,
+ params.getrandom_out.rng_data) + recd) {
+ total = -EFAULT;
+ break;
+ }
memcpy(dest, tpm_cmd.params.getrandom_out.rng_data, recd);
dest += recd;
Check the size of the response before accessing data in the response packet. This is to avoid accessing data beyond the end of the response. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> --- drivers/char/tpm/tpm-interface.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-)