Skip to content

Commit 180a74e

Browse files
dgarskedgarske
committed
Added cap parsing limit checks. Added missing TPM_CAP_PCR_PROPERTIES.
1 parent ebf7a6c commit 180a74e

2 files changed

Lines changed: 29 additions & 0 deletions

File tree

src/tpm2.c

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -884,6 +884,8 @@ TPM_RC TPM2_GetCapability(GetCapability_In* in, GetCapability_Out* out)
884884
TPML_ALG_PROPERTY* algorithms =
885885
&out->capabilityData.data.algorithms;
886886
TPM2_Packet_ParseU32(&packet, &algorithms->count);
887+
if (algorithms->count > MAX_CAP_ALGS)
888+
algorithms->count = MAX_CAP_ALGS;
887889
for (i=0; i<(int)algorithms->count; i++) {
888890
TPM2_Packet_ParseU16(&packet,
889891
&algorithms->algProperties[i].alg);
@@ -897,6 +899,8 @@ TPM_RC TPM2_GetCapability(GetCapability_In* in, GetCapability_Out* out)
897899
TPML_HANDLE* handles =
898900
&out->capabilityData.data.handles;
899901
TPM2_Packet_ParseU32(&packet, &handles->count);
902+
if (handles->count > MAX_CAP_HANDLES)
903+
handles->count = MAX_CAP_HANDLES;
900904
for (i=0; i<(int)handles->count; i++) {
901905
TPM2_Packet_ParseU32(&packet, &handles->handle[i]);
902906
}
@@ -907,6 +911,8 @@ TPM_RC TPM2_GetCapability(GetCapability_In* in, GetCapability_Out* out)
907911
TPML_CCA* cmdAttribs =
908912
&out->capabilityData.data.command;
909913
TPM2_Packet_ParseU32(&packet, &cmdAttribs->count);
914+
if (cmdAttribs->count > MAX_CAP_CC)
915+
cmdAttribs->count = MAX_CAP_CC;
910916
for (i=0; i<(int)cmdAttribs->count; i++) {
911917
TPM2_Packet_ParseU32(&packet,
912918
&cmdAttribs->commandAttributes[i]);
@@ -919,6 +925,8 @@ TPM_RC TPM2_GetCapability(GetCapability_In* in, GetCapability_Out* out)
919925
TPML_CC* cmdCodes =
920926
&out->capabilityData.data.ppCommands;
921927
TPM2_Packet_ParseU32(&packet, &cmdCodes->count);
928+
if (cmdCodes->count > MAX_CAP_CC)
929+
cmdCodes->count = MAX_CAP_CC;
922930
for (i=0; i<(int)cmdCodes->count; i++) {
923931
TPM2_Packet_ParseU32(&packet,
924932
&cmdCodes->commandCodes[i]);
@@ -937,6 +945,8 @@ TPM_RC TPM2_GetCapability(GetCapability_In* in, GetCapability_Out* out)
937945
TPML_TAGGED_TPM_PROPERTY* prop =
938946
&out->capabilityData.data.tpmProperties;
939947
TPM2_Packet_ParseU32(&packet, &prop->count);
948+
if (prop->count > MAX_TPM_PROPERTIES)
949+
prop->count = MAX_TPM_PROPERTIES;
940950
for (i=0; i<(int)prop->count; i++) {
941951
TPM2_Packet_ParseU32(&packet,
942952
&prop->tpmProperty[i].property);
@@ -950,13 +960,26 @@ TPM_RC TPM2_GetCapability(GetCapability_In* in, GetCapability_Out* out)
950960
TPML_TAGGED_PCR_PROPERTY* pcrProp =
951961
&out->capabilityData.data.pcrProperties;
952962
TPM2_Packet_ParseU32(&packet, &pcrProp->count);
963+
if (pcrProp->count > MAX_PCR_PROPERTIES)
964+
pcrProp->count = MAX_PCR_PROPERTIES;
965+
for (i=0; i<(int)pcrProp->count; i++) {
966+
TPMS_TAGGED_PCR_SELECT* sel = &pcrProp->pcrProperty[i];
967+
TPM2_Packet_ParseU32(&packet, &sel->tag);
968+
TPM2_Packet_ParseU8(&packet, &sel->sizeofSelect);
969+
if (sel->sizeofSelect > PCR_SELECT_MAX)
970+
sel->sizeofSelect = PCR_SELECT_MAX;
971+
TPM2_Packet_ParseBytes(&packet, sel->pcrSelect,
972+
sel->sizeofSelect);
973+
}
953974
break;
954975
}
955976
case TPM_CAP_ECC_CURVES:
956977
{
957978
TPML_ECC_CURVE* eccCurves =
958979
&out->capabilityData.data.eccCurves;
959980
TPM2_Packet_ParseU32(&packet, &eccCurves->count);
981+
if (eccCurves->count > MAX_ECC_CURVES)
982+
eccCurves->count = MAX_ECC_CURVES;
960983
for (i=0; i<(int)eccCurves->count; i++) {
961984
TPM2_Packet_ParseU16(&packet,
962985
&eccCurves->eccCurves[i]);
@@ -968,6 +991,8 @@ TPM_RC TPM2_GetCapability(GetCapability_In* in, GetCapability_Out* out)
968991
TPML_TAGGED_POLICY* authPol =
969992
&out->capabilityData.data.authPolicies;
970993
TPM2_Packet_ParseU32(&packet, &authPol->count);
994+
if (authPol->count > MAX_TAGGED_POLICIES)
995+
authPol->count = MAX_TAGGED_POLICIES;
971996
for (i=0; i<(int)authPol->count; i++) {
972997
int digSz;
973998
TPMS_TAGGED_POLICY* pol = &authPol->policies[i];
@@ -988,6 +1013,8 @@ TPM_RC TPM2_GetCapability(GetCapability_In* in, GetCapability_Out* out)
9881013
TPML_ACT_DATA* actData =
9891014
&out->capabilityData.data.actData;
9901015
TPM2_Packet_ParseU32(&packet, &actData->count);
1016+
if (actData->count > MAX_ACT_DATA)
1017+
actData->count = MAX_ACT_DATA;
9911018
for (i=0; i<(int)actData->count; i++) {
9921019
TPM2_Packet_ParseU32(&packet,
9931020
&actData->actData[i].handle);

src/tpm2_packet.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -425,6 +425,8 @@ void TPM2_Packet_ParsePCR(TPM2_Packet* packet, TPML_PCR_SELECTION* pcr)
425425
{
426426
int i;
427427
TPM2_Packet_ParseU32(packet, &pcr->count);
428+
if (pcr->count > HASH_COUNT)
429+
pcr->count = HASH_COUNT;
428430
for (i=0; i<(int)pcr->count; i++) {
429431
TPM2_Packet_ParseU16(packet, &pcr->pcrSelections[i].hash);
430432
TPM2_Packet_ParseU8(packet, &pcr->pcrSelections[i].sizeofSelect);

0 commit comments

Comments
 (0)