Ensure tpm_inf_recv() does not overflow the provided buffer when the TPM reports more data than the caller expects.
Signed-off-by: Shahriyar Jalayeri <[email protected]> --- drivers/char/tpm/tpm_infineon.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/char/tpm/tpm_infineon.c b/drivers/char/tpm/tpm_infineon.c index 7638b65b8..eb6dd55ff 100644 --- a/drivers/char/tpm/tpm_infineon.c +++ b/drivers/char/tpm/tpm_infineon.c @@ -250,6 +250,12 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf, size_t count) number_of_wtx = 0; recv_begin: + if (count < 4) { + dev_err(&chip->dev, + "count less than the header size!\n"); + return -EIO; + } + /* start receiving header */ for (i = 0; i < 4; i++) { ret = wait(chip, STAT_RDA); @@ -268,6 +274,12 @@ static int tpm_inf_recv(struct tpm_chip *chip, u8 * buf, size_t count) /* size of the data received */ size = ((buf[2] << 8) | buf[3]); + if (size > count) { + dev_err(&chip->dev, + "Buffer too small for incoming data!\n"); + return -EIO; + } + for (i = 0; i < size; i++) { wait(chip, STAT_RDA); buf[i] = tpm_data_in(RDFIFO); -- 2.43.0
