diff options
author | Juergen Repp <juergen.repp@sit.fraunhofer.de> | 2019-03-15 22:36:22 +0100 |
---|---|---|
committer | Andreas Fuchs <andreas.fuchs@sit.fraunhofer.de> | 2019-03-18 11:00:37 +0100 |
commit | fde040c85a218fcc704c48bbc50647c68f32b3e9 (patch) | |
tree | 8de2b9056785553d87313a68d70edca6791d402c /src/tss2-esys | |
parent | fca342969099b5bc2ac937cbe6ff992585d6a27a (diff) | |
download | tpm2-tss-fde040c85a218fcc704c48bbc50647c68f32b3e9.tar.gz |
ESYS: Fix usage of bad auth values.
* The size of auth value is not checked in Esys_TR_SetAuth, but the size is used for memcpy.
* memcpy caused an out-of-bound overwrite if size > sizeof(TPMU_HA).
Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Diffstat (limited to 'src/tss2-esys')
-rw-r--r-- | src/tss2-esys/esys_tr.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c index 042cc265..1a4e908b 100644 --- a/src/tss2-esys/esys_tr.c +++ b/src/tss2-esys/esys_tr.c @@ -374,11 +374,14 @@ Esys_TR_SetAuth(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle, if (r != TPM2_RC_SUCCESS) return r; - if (authValue == NULL) + if (authValue == NULL) { esys_object->auth.size = 0; - else + } else { + if (authValue->size > sizeof(TPMU_HA)) { + return_error(TSS2_ESYS_RC_BAD_SIZE, "Bad size for auth value."); + } esys_object->auth = *authValue; - + } return TSS2_RC_SUCCESS; } |