Infineon TPM: Fix potential buffer overruns

Ensure that the Infineon I2C and SPI TPM driver performs adequate
validation of the length extracted from the TPM response header.
This patch prevents integer underflow when the length was too small,
which could lead to memory corruption.

Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>

diff --git a/drivers/tpm/tpm_tis_infineon.c b/drivers/tpm/tpm_tis_infineon.c
index e3e20d899689af107bf1abc9b10b538bb467146a..41b748e7a23e09fef253ae8179c56feaeb99dc09 100644 (file)
--- a/drivers/tpm/tpm_tis_infineon.c
+++ b/drivers/tpm/tpm_tis_infineon.c
@@ -374,7 +374,8 @@ static int tpm_tis_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
 {
        struct tpm_chip *chip = dev_get_priv(dev);
        int size = 0;
-       int expected, status;
+       int status;
+       unsigned int expected;
        int rc;
 
        status = tpm_tis_i2c_status(dev);
@@ -394,7 +395,7 @@ static int tpm_tis_i2c_recv(struct udevice *dev, u8 *buf, size_t count)
        }
 
        expected = get_unaligned_be32(buf + TPM_RSP_SIZE_BYTE);
-       if ((size_t)expected > count) {
+       if ((size_t)expected > count || (size_t)expected < TPM_HEADER_SIZE) {
                debug("Error size=%x, expected=%x, count=%x\n", size, expected,
                      count);
                return -ENOSPC;