[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH v2 12/13] vtpmmgr: Check req_len before unpacking command
On 5/6/21 9:59 AM, Jason Andryuk wrote: > vtpm_handle_cmd doesn't ensure there is enough space before unpacking > the req buffer. Add a minimum size check. Called functions will have > to do their own checking if they need more data from the request. > > The error case is tricky since abort_egress wants to rely with a > corresponding tag. Just hardcode TPM_TAG_RQU_COMMAND since the vtpm is > sending in malformed commands in the first place. > > Signed-off-by: Jason Andryuk <jandryuk@xxxxxxxxx> > --- Reviewed-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx> > stubdom/vtpmmgr/vtpm_cmd_handler.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/stubdom/vtpmmgr/vtpm_cmd_handler.c > b/stubdom/vtpmmgr/vtpm_cmd_handler.c > index c879b24c13..5586be6997 100644 > --- a/stubdom/vtpmmgr/vtpm_cmd_handler.c > +++ b/stubdom/vtpmmgr/vtpm_cmd_handler.c > @@ -840,6 +840,12 @@ TPM_RESULT vtpmmgr_handle_cmd( > UINT32 size; > TPM_COMMAND_CODE ord; > > + if (tpmcmd->req_len < sizeof_TPM_RQU_HEADER(tpmcmd->req)) { > + status = TPM_BAD_PARAMETER; > + tag = TPM_TAG_RQU_COMMAND; > + goto abort_egress; > + } > + > unpack_TPM_RQU_HEADER(tpmcmd->req, > &tag, &size, &ord); > >
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |