summaryrefslogtreecommitdiffstats
path: root/SecurityPkg/Tcg/TcgDxe/TisDxe.c
diff options
context:
space:
mode:
Diffstat (limited to 'SecurityPkg/Tcg/TcgDxe/TisDxe.c')
-rw-r--r--SecurityPkg/Tcg/TcgDxe/TisDxe.c18
1 files changed, 16 insertions, 2 deletions
diff --git a/SecurityPkg/Tcg/TcgDxe/TisDxe.c b/SecurityPkg/Tcg/TcgDxe/TisDxe.c
index 68489d3e3f..e7e0f9e405 100644
--- a/SecurityPkg/Tcg/TcgDxe/TisDxe.c
+++ b/SecurityPkg/Tcg/TcgDxe/TisDxe.c
@@ -233,6 +233,13 @@ TisPcSendV (
return EFI_INVALID_PARAMETER;
}
+ //
+ // Check input to avoid overflow.
+ //
+ if ((UINT32) (~0)- *DataLength < (UINT32)Size) {
+ return EFI_INVALID_PARAMETER;
+ }
+
if(*DataLength + (UINT32) Size > TPMCMDBUFLENGTH) {
return EFI_BUFFER_TOO_SMALL;
}
@@ -291,9 +298,16 @@ TisPcReceiveV (
case 'r':
Size = VA_ARG (*ap, UINTN);
- if(*DataIndex + (UINT32) Size <= RespSize) {
- break;
+ //
+ // If overflowed, which means Size is big enough for Response data.
+ // skip this check. Copy the whole data
+ //
+ if ((UINT32) (~0)- *DataIndex >= (UINT32)Size) {
+ if(*DataIndex + (UINT32) Size <= RespSize) {
+ break;
+ }
}
+
*DataFinished = TRUE;
if (*DataIndex >= RespSize) {
return EFI_SUCCESS;
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-16 06:35:14 +0000