From fde040c85a218fcc704c48bbc50647c68f32b3e9 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen.repp@sit.fraunhofer.de>
Date: Fri, 15 Mar 2019 22:36:22 +0100
Subject: ESYS: Fix usage of bad auth values.

* The size of auth value is not checked in Esys_TR_SetAuth, but the size is used for memcpy.
* memcpy caused an out-of-bound overwrite if size > sizeof(TPMU_HA).

Signed-off-by: Juergen Repp <juergen.repp@sit.fraunhofer.de>
---
 src/tss2-esys/esys_tr.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/tss2-esys/esys_tr.c b/src/tss2-esys/esys_tr.c
index 042cc265..1a4e908b 100644
--- a/src/tss2-esys/esys_tr.c
+++ b/src/tss2-esys/esys_tr.c
@@ -374,11 +374,14 @@ Esys_TR_SetAuth(ESYS_CONTEXT * esys_context, ESYS_TR esys_handle,
     if (r != TPM2_RC_SUCCESS)
         return r;
 
-    if (authValue == NULL)
+    if (authValue == NULL) {
         esys_object->auth.size = 0;
-    else
+    } else {
+        if (authValue->size > sizeof(TPMU_HA)) {
+            return_error(TSS2_ESYS_RC_BAD_SIZE, "Bad size for auth value.");
+        }
         esys_object->auth = *authValue;
-
+    }
     return TSS2_RC_SUCCESS;
 }
 
-- 
cgit v1.2.3