[PATCH v2 13/16] tpm: Check outgoing command size

Simon Glass sjg at chromium.org
Fri May 14 03:39:29 CEST 2021


In tpm_sendrecv_command() the command buffer is passed in. If a mistake is
somehow made in setting this up, the size could be out of range. Add a
sanity check for this.

Signed-off-by: Simon Glass <sjg at chromium.org>
Reported-by: Coverity (CID: 331152)
---

(no changes since v1)

 lib/tpm-common.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/tpm-common.c b/lib/tpm-common.c
index 4277846fdd0..82ffdc5341b 100644
--- a/lib/tpm-common.c
+++ b/lib/tpm-common.c
@@ -176,6 +176,11 @@ u32 tpm_sendrecv_command(struct udevice *dev, const void *command,
 	}
 
 	size = tpm_command_size(command);
+
+	/* sanity check, which also helps coverity */
+	if (size > COMMAND_BUFFER_SIZE)
+		return log_msg_ret("size", -E2BIG);
+
 	log_debug("TPM request [size:%d]: ", size);
 	for (i = 0; i < size; i++)
 		log_debug("%02x ", ((u8 *)command)[i]);
-- 
2.31.1.751.gd2f1c929bd-goog



More information about the U-Boot mailing list