STMicro TPM: Fix potential buffer overruns

[u-boot] / drivers / tpm / tpm_tis_st33zp24_i2c.c

diff --git a/drivers/tpm/tpm_tis_st33zp24_i2c.c b/drivers/tpm/tpm_tis_st33zp24_i2c.c
index 9e4829fea2fe1d8b5af04b1f3146ab8ae3186d11..245218fc075b95e95b230f3d9acab8f4b0670f01 100644 (file)
--- a/drivers/tpm/tpm_tis_st33zp24_i2c.c
+++ b/drivers/tpm/tpm_tis_st33zp24_i2c.c
@@ -1,7 +1,8 @@
 /*
  * STMicroelectronics TPM ST33ZP24 I2C UBOOT driver
  *
- * Copyright (C) 2016 STMicroelectronics
+ * Copyright (C) 2016, STMicroelectronics - All Rights Reserved
+ * Author(s): Christophe Ricard <christophe-h.ricard@st.com> for STMicroelectronics.
  *
  * Description: Device driver for ST33ZP24 I2C TPM TCG.
  *
@@ -302,7 +303,8 @@ static int st33zp24_i2c_recv_data(struct udevice *dev, u8 *buf, size_t count)
 static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
 {
        struct tpm_chip *chip = dev_get_priv(dev);
-       int size, expected;
+       int size;
+       unsigned int expected;
 
        if (!chip)
                return -ENODEV;
@@ -319,7 +321,7 @@ static int st33zp24_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
        }
 
        expected = get_unaligned_be32(buf + 2);
-       if (expected > count) {
+       if (expected > count || expected < TPM_HEADER_SIZE) {
                size = -EIO;
                goto out;
        }