3 files changed, 15 insertions, 0 deletions

diff --git a/src/security/tpm/tspi/log-tpm1.c b/src/security/tpm/tspi/log-tpm1.c
index 529442630445..3b192d706955 100644
--- a/src/security/tpm/tspi/log-tpm1.c
+++ b/src/security/tpm/tspi/log-tpm1.c
@@ -170,6 +170,11 @@ void tpm1_log_copy_entries(const void *from, void *to)
 	int i;
 
 	for (i = 0; i < le16toh(from_log->vendor.num_entries); i++) {
+		if (le16toh(to_log->vendor.num_entries) >= le16toh(to_log->vendor.max_entries)) {
+			printk(BIOS_WARNING, "TPM LOG: log table is full\n");
+			return;
+		}
+
 		struct tpm_1_log_entry *tce =
 			&to_log->entries[le16toh(to_log->vendor.num_entries)];
 		memcpy(tce, &from_log->entries[i], sizeof(*tce));
diff --git a/src/security/tpm/tspi/log-tpm2.c b/src/security/tpm/tspi/log-tpm2.c
index 897ccedbff37..c7bbc9e42bc1 100644
--- a/src/security/tpm/tspi/log-tpm2.c
+++ b/src/security/tpm/tspi/log-tpm2.c
@@ -213,6 +213,11 @@ void tpm2_log_copy_entries(const void *from, void *to)
 	int i;
 
 	for (i = 0; i < le16toh(from_log->vendor.num_entries); i++) {
+		if (le16toh(to_log->vendor.num_entries) >= le16toh(to_log->vendor.max_entries)) {
+			printk(BIOS_WARNING, "TPM LOG: log table is full\n");
+			return;
+		}
+
 		struct tpm_2_log_entry *tce =
 			&to_log->entries[le16toh(to_log->vendor.num_entries)];
 		to_log->vendor.num_entries = htole16(le16toh(to_log->vendor.num_entries) + 1);
diff --git a/src/security/tpm/tspi/log.c b/src/security/tpm/tspi/log.c
index b7e59f804e6f..9798eabd4566 100644
--- a/src/security/tpm/tspi/log.c
+++ b/src/security/tpm/tspi/log.c
@@ -145,6 +145,11 @@ void tpm_cb_log_copy_entries(const void *from, void *to)
 	int i;
 
 	for (i = 0; i < from_log->num_entries; i++) {
+		if (to_log->num_entries >= to_log->max_entries) {
+			printk(BIOS_ERR, "TPM LOG: log table is full\n");
+			return;
+		}
+
 		struct tpm_cb_log_entry *tce = &to_log->entries[to_log->num_entries++];
 
 		strncpy(tce->name, from_log->entries[i].name, TPM_CB_LOG_PCR_HASH_NAME - 1);