[TrouSerS-tech] [PATCH 13/17] Prevents dereference of null when calling Tspi_Context_GetCapability

Wed, 09 Apr 2014 11:42:13 -0700 

From: Richard Maciel <[email protected]>

Related to coverity CID 10293.

Basically for two capability values (TSS_TCSCAP_VERSION and
TSS_TCSCAP_PERSSTORAGE), it was possible to put NULL values on
subcapability, which was used as a source value by a memcpy in the
subsequent call tree.

Signed-off-by: Richard Maciel <[email protected]>
---
 src/tspi/tspi_caps.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/tspi/tspi_caps.c b/src/tspi/tspi_caps.c
index 2997d8d..dbf999c 100644
--- a/src/tspi/tspi_caps.c
+++ b/src/tspi/tspi_caps.c
@@ -36,6 +36,7 @@ Tspi_Context_GetCapability(TSS_HCONTEXT tspContext,   /* in */
                           BYTE ** prgbRespData)        /* out */
 {
        TSS_RESULT result;
+       UINT32 dummy_val = 0;
 
        if (prgbRespData == NULL || pulRespDataLength == NULL )
                return TSPERR(TSS_E_BAD_PARAMETER);
@@ -64,19 +65,24 @@ Tspi_Context_GetCapability(TSS_HCONTEXT tspContext, /* in */
                                                 pulRespDataLength,
                                                 prgbRespData);
                        break;
-               case TSS_TCSCAP_ALG:
-                       if (ulSubCapLength != sizeof(UINT32) || !rgbSubCap)
-                               return TSPERR(TSS_E_BAD_PARAMETER);
-                       /* fall through */
-               case TSS_TCSCAP_VERSION:
+               case TSS_TCSCAP_ALG: /* fall through for options below */
                case TSS_TCSCAP_CACHING:
-               case TSS_TCSCAP_PERSSTORAGE:
                case TSS_TCSCAP_MANUFACTURER:
                case TSS_TCSCAP_TRANSPORT:
                case TSS_TCSCAP_PLATFORM_CLASS:
+                       if (ulSubCapLength != sizeof(UINT32) || !rgbSubCap)
+                               return TSPERR(TSS_E_BAD_PARAMETER);
+
                        result = RPC_GetCapability(tspContext, capArea, 
ulSubCapLength, rgbSubCap,
                                                   pulRespDataLength, 
prgbRespData);
                        break;
+               case TSS_TCSCAP_VERSION:
+               case TSS_TCSCAP_PERSSTORAGE:
+                       result = RPC_GetCapability(tspContext, capArea,
+                                       ulSubCapLength ? ulSubCapLength : 
sizeof(UINT32),
+                                       rgbSubCap ? rgbSubCap : &dummy_val,
+                                       pulRespDataLength, prgbRespData);
+                       break;
                default:
                        LogDebug("Invalid capArea: 0x%x", capArea);
                        result = TSPERR(TSS_E_BAD_PARAMETER);
-- 
1.8.5.3


------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
TrouSerS-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-tech

Reply via email to