1 files changed, 11 insertions, 2 deletions

diff --git a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c
index 180f360830..cc77785de1 100644
--- a/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c
+++ b/SecurityPkg/Library/Tpm2CommandLib/Tpm2Help.c
@@ -1,7 +1,7 @@
 /** @file

   Implement TPM2 help.

 

-Copyright (c) 2013 - 2017, Intel Corporation. All rights reserved. <BR>

+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved. <BR>

 This program and the accompanying materials

 are licensed and made available under the terms and conditions of the BSD License

 which accompanies this distribution.  The full text of the license may be found at

@@ -150,7 +150,8 @@ CopyAuthSessionCommand (
   @param [in]  AuthSessionIn   Input AuthSession data in TPM2 response buffer

   @param [out] AuthSessionOut  Output AuthSession data

 

-  @return AuthSession size

+  @return 0    copy failed

+          else AuthSession size

 **/

 UINT32

 EFIAPI

@@ -171,6 +172,10 @@ CopyAuthSessionResponse (
   // nonce

   AuthSessionOut->nonce.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));

   Buffer += sizeof(UINT16);

+  if (AuthSessionOut->nonce.size > sizeof(TPMU_HA)) {

+    DEBUG ((DEBUG_ERROR, "CopyAuthSessionResponse - nonce.size error %x\n", AuthSessionOut->nonce.size));

+    return 0;

+  }

 

   CopyMem (AuthSessionOut->nonce.buffer, Buffer, AuthSessionOut->nonce.size);

   Buffer += AuthSessionOut->nonce.size;

@@ -182,6 +187,10 @@ CopyAuthSessionResponse (
   // hmac

   AuthSessionOut->hmac.size = SwapBytes16 (ReadUnaligned16 ((UINT16 *)Buffer));

   Buffer += sizeof(UINT16);

+  if (AuthSessionOut->hmac.size > sizeof(TPMU_HA)) {

+    DEBUG ((DEBUG_ERROR, "CopyAuthSessionResponse - hmac.size error %x\n", AuthSessionOut->hmac.size));

+    return 0;

+  }

 

   CopyMem (AuthSessionOut->hmac.buffer, Buffer, AuthSessionOut->hmac.size);

   Buffer += AuthSessionOut->hmac.size;