On 4/30/26 11:51 AM, Stefan Berger wrote:
Limit the number of bytes read from the TPM response to the size of the
receiving buffer, which is the same as the size of the buffer negotiated
with swtpm.
The TPM TIS and SPAPR use 4096 bytes and the CRB 3968 bytes. There are
currently no TPM 2 responses using this size of a buffer and therefore
no response will be sent that is exceeding this size.
Fixes: f4ede81eed29 ("tpm: Added support for TPM emulator")
Signed-off-by: Stefan Berger <[email protected]>
> ---> backends/tpm/tpm_emulator.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/backends/tpm/tpm_emulator.c b/backends/tpm/tpm_emulator.c
index 653989ac0e..050a1f4225 100644
--- a/backends/tpm/tpm_emulator.c
+++ b/backends/tpm/tpm_emulator.c
@@ -176,8 +176,9 @@ static int tpm_emulator_unix_tx_bufs(TPMEmulator *tpm_emu,
bool *selftest_done,
Error **errp)
{
- ssize_t ret;
bool is_selftest = false;
+ size_t to_read;
+ ssize_t ret;
if (selftest_done) {
*selftest_done = false;
@@ -195,9 +196,13 @@ static int tpm_emulator_unix_tx_bufs(TPMEmulator *tpm_emu,
return -1;
}
+ /*
+ * Size of response from swtpm must be <= out_len (= negotiated buffer
size)
+ */
+ to_read = MIN(tpm_cmd_get_size(out), out_len) - sizeof(struct
tpm_resp_hdr);
+
ret = qio_channel_read_all(tpm_emu->data_ioc,
- (char *)out + sizeof(struct tpm_resp_hdr),
- tpm_cmd_get_size(out) - sizeof(struct tpm_resp_hdr), errp);
+ (char *)out + sizeof(struct tpm_resp_hdr), to_read, errp);
if (ret != 0) {
return -1;
}
