third_party/tpm2: fix bound checks
BUG=b:260626924
TEST=TCG tests on Cr50 / Simulator
Change-Id: I832db548fe8f887edb79b37b0ec54ea29cf4adb1
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/tpm2/+/4064430
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Auto-Submit: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Commit-Queue: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Nick Peterson <nrpeter@google.com>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Code-Coverage: Vadim Sukhomlinov <sukhomlinov@chromium.org>
Tested-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
diff --git a/CryptUtil.c b/CryptUtil.c
index bf9263e..2aa3941 100644
--- a/CryptUtil.c
+++ b/CryptUtil.c
@@ -2745,6 +2745,10 @@
TPM2B_HMAC_KEY key; // decryption key
UINT32 cipherSize = 0; // size of cipher text
pAssert(session->sessionKey.t.size + extraKey->t.size <= sizeof(key.t.buffer));
+
+ if (bufferSize < leadingSizeInByte)
+ return TPM_RC_INSUFFICIENT;
+
// Retrieve encrypted data size.
if(leadingSizeInByte == 2)
{
@@ -2752,6 +2756,7 @@
// data to be decrypted
cipherSize = (UINT32)BYTE_ARRAY_TO_UINT16(buffer);
buffer = &buffer[2]; // advance the buffer
+ bufferSize -= 2;
}
#ifdef TPM4B
else if(leadingSizeInByte == 4)
@@ -2759,6 +2764,7 @@
// the leading size is four bytes so get the four byte size field
cipherSize = BYTE_ARRAY_TO_UINT32(buffer);
buffer = &buffer[4]; //advance pointer
+ bufferSize -= 4;
}
#endif
else
