@@ -363,7 +363,7 @@ static const struct tpm_input_header tpm2_getrandom_header = {
int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max)
{
struct tpm2_cmd cmd;
- u32 recd;
+ u32 recd, rlength;
u32 num_bytes;
int err;
int total = 0;
@@ -385,8 +385,16 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *out, size_t max)
if (err)
break;
+ rlength = be32_to_cpu(cmd.header.out.length);
+ if (rlength < offsetof(struct tpm2_cmd,
+ params.getrandom_out.buffer))
+ return -EFAULT;
+
recd = min_t(u32, be16_to_cpu(cmd.params.getrandom_out.size),
num_bytes);
+ if (rlength < offsetof(struct tpm2_cmd,
+ params.getrandom_out.buffer) + recd)
+ return -EFAULT;
memcpy(dest, cmd.params.getrandom_out.buffer, recd);
dest += recd;
Check the size of the response before accessing data in the response packet. This is to avoid accessing data beyond the end of the response. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> --- drivers/char/tpm/tpm2-cmd.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)