@@ -540,6 +540,14 @@ int wolfTPM2_SetKeyBlobFromBuffer(WOLFTPM2_KEYBLOB* key, byte *buffer,
540540 runner += sizeof (key -> pub .size );
541541 done_reading += sizeof (key -> pub .size );
542542
543+ if (key -> pub .size > sizeof (pubAreaBuffer ) - sizeof (UINT16 )) {
544+ #ifdef DEBUG_WOLFTPM
545+ printf ("Public key size too large (%d > %d)\n" ,
546+ key -> pub .size , (int )(sizeof (pubAreaBuffer ) - sizeof (UINT16 )));
547+ #endif
548+ return BUFFER_E ;
549+ }
550+
543551 if (bufferSz < done_reading + sizeof (UINT16 ) + key -> pub .size ) {
544552#ifdef DEBUG_WOLFTPM
545553 printf ("Buffer size check failed (%d)\n" , bufferSz );
@@ -569,6 +577,14 @@ int wolfTPM2_SetKeyBlobFromBuffer(WOLFTPM2_KEYBLOB* key, byte *buffer,
569577 runner += sizeof (key -> priv .size );
570578 done_reading += sizeof (key -> priv .size );
571579
580+ if (key -> priv .size > sizeof (key -> priv .buffer )) {
581+ #ifdef DEBUG_WOLFTPM
582+ printf ("Private key size too large (%d > %d)\n" ,
583+ key -> priv .size , (int )sizeof (key -> priv .buffer ));
584+ #endif
585+ return BUFFER_E ;
586+ }
587+
572588 if (bufferSz < done_reading + key -> priv .size ) {
573589#ifdef DEBUG_WOLFTPM
574590 printf ("Buffer size check failed (%d)\n" , bufferSz );
@@ -1032,7 +1048,7 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
10321048{
10331049 const TPM2B_AUTH * auth = NULL ;
10341050 const TPM2B_NAME * name = NULL ;
1035- if (dev == NULL || index >= MAX_SESSION_NUM ) {
1051+ if (dev == NULL || index < 0 || index >= MAX_SESSION_NUM ) {
10361052 return BAD_FUNC_ARG ;
10371053 }
10381054
@@ -1063,8 +1079,11 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
10631079 session -> auth .size = authDigestSz + handle -> auth .size ;
10641080 XMEMCPY (& session -> auth .buffer [authDigestSz ], handle -> auth .buffer ,
10651081 handle -> auth .size );
1082+ if (handle -> name .size > sizeof (session -> name .name )) {
1083+ return BUFFER_E ;
1084+ }
10661085 session -> name .size = handle -> name .size ;
1067- XMEMCPY (session -> name .name , handle -> name .name , handle -> name .size );
1086+ XMEMCPY (session -> name .name , handle -> name .name , session -> name .size );
10681087 return TPM_RC_SUCCESS ;
10691088 }
10701089 auth = & handle -> auth ;
@@ -1079,7 +1098,7 @@ int wolfTPM2_SetAuthHandleName(WOLFTPM2_DEV* dev, int index,
10791098 const TPM2B_NAME * name = NULL ;
10801099 TPM2_AUTH_SESSION * session ;
10811100
1082- if (dev == NULL || handle == NULL || index >= MAX_SESSION_NUM ) {
1101+ if (dev == NULL || handle == NULL || index < 0 || index >= MAX_SESSION_NUM ) {
10831102 return BAD_FUNC_ARG ;
10841103 }
10851104
@@ -1136,7 +1155,7 @@ int wolfTPM2_SetAuthSession(WOLFTPM2_DEV* dev, int index,
11361155{
11371156 int rc ;
11381157
1139- if (dev == NULL || index >= MAX_SESSION_NUM ) {
1158+ if (dev == NULL || index < 0 || index >= MAX_SESSION_NUM ) {
11401159 return BAD_FUNC_ARG ;
11411160 }
11421161
@@ -2939,6 +2958,9 @@ int wolfTPM2_ImportEccPrivateKeySeed(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* pare
29392958 if (rc == 0 ) {
29402959 rc = wolfTPM2_ImportPrivateKey (dev , parentKey , keyBlob , & pub , & sens );
29412960 }
2961+
2962+ TPM2_ForceZero (& sens , sizeof (sens ));
2963+
29422964 return rc ;
29432965}
29442966
@@ -3684,6 +3706,10 @@ int wolfTPM2_CreateRsaKeyBlob(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKey,
36843706 /* not used */
36853707 (void )p ;
36863708
3709+ TPM2_ForceZero (d , sizeof (d ));
3710+ TPM2_ForceZero (p , sizeof (p ));
3711+ TPM2_ForceZero (q , sizeof (q ));
3712+
36873713 return rc ;
36883714}
36893715
@@ -3728,6 +3754,10 @@ int wolfTPM2_RsaKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKe
37283754
37293755 /* not used */
37303756 (void )p ;
3757+
3758+ TPM2_ForceZero (d , sizeof (d ));
3759+ TPM2_ForceZero (p , sizeof (p ));
3760+ TPM2_ForceZero (q , sizeof (q ));
37313761 }
37323762 else {
37333763 /* export the raw public RSA portion */
@@ -3911,6 +3941,8 @@ int wolfTPM2_CreateEccKeyBlob(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* parentKey,
39113941 qx , qxSz , qy , qySz , d , dSz );
39123942 }
39133943
3944+ TPM2_ForceZero (d , sizeof (d ));
3945+
39143946 return rc ;
39153947}
39163948
@@ -3986,6 +4018,8 @@ int wolfTPM2_EccKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* parentKey,
39864018 rc = wolfTPM2_LoadEccPrivateKey (dev , parentKey , tpmKey , curve_id ,
39874019 qx , qxSz , qy , qySz , d , dSz );
39884020 }
4021+
4022+ TPM2_ForceZero (d , sizeof (d ));
39894023 }
39904024 else {
39914025 /* export the raw public ECC portion */
@@ -5231,6 +5265,10 @@ int wolfTPM2_NVReadCert(WOLFTPM2_DEV* dev, TPM_HANDLE handle,
52315265 WOLFTPM2_NV nv ;
52325266 TPMS_NV_PUBLIC nvPublic ;
52335267
5268+ if (len == NULL ) {
5269+ return BAD_FUNC_ARG ;
5270+ }
5271+
52345272 XMEMSET (& nvPublic , 0 , sizeof (nvPublic ));
52355273 XMEMSET (& nv , 0 , sizeof (nv ));
52365274
@@ -5530,7 +5568,7 @@ int wolfTPM2_GetRandom(WOLFTPM2_DEV* dev, byte* buf, word32 len)
55305568 }
55315569
55325570 sz = out .randomBytes .size ; /* use actual returned size */
5533- if (sz > MAX_RNG_REQ_SIZE ) {
5571+ if (sz == 0 || sz > MAX_RNG_REQ_SIZE || sz > ( len - pos ) ) {
55345572 #ifdef DEBUG_WOLFTPM
55355573 printf ("wolfTPM2_GetRandom out size error\n" );
55365574 #endif
@@ -5857,6 +5895,8 @@ int wolfTPM2_LoadSymmetricKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key, int alg,
58575895
58585896exit :
58595897
5898+ TPM2_ForceZero (& loadExtIn .inPrivate , sizeof (loadExtIn .inPrivate ));
5899+
58605900 if (rc != TPM_RC_SUCCESS ) {
58615901 #ifdef DEBUG_WOLFTPM
58625902 printf ("TPM2_LoadExternal: failed %d: %s\n" ,
@@ -6097,6 +6137,8 @@ int wolfTPM2_LoadKeyedHashKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
60976137 (word32 )key -> handle .hndl );
60986138#endif
60996139
6140+ TPM2_ForceZero (& createIn .inSensitive , sizeof (createIn .inSensitive ));
6141+
61006142 return rc ;
61016143}
61026144
0 commit comments