Skip to content

Commit 6b59c25

Browse files
dgarskedgarske
committed
Fix Fenrir F-2165: Add size validation in TPM2_Packet_ParsePublic
1 parent 37335a8 commit 6b59c25

1 file changed

Lines changed: 53 additions & 7 deletions

File tree

src/tpm2_packet.c

Lines changed: 53 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -780,33 +780,79 @@ void TPM2_Packet_AppendPublic(TPM2_Packet* packet, TPM2B_PUBLIC* pub)
780780
}
781781
void TPM2_Packet_ParsePublic(TPM2_Packet* packet, TPM2B_PUBLIC* pub)
782782
{
783+
UINT16 wireSize;
784+
783785
TPM2_Packet_ParseU16(packet, &pub->size);
784786
if (pub->size > 0) {
785787
TPM2_Packet_ParseU16(packet, &pub->publicArea.type);
786788
TPM2_Packet_ParseU16(packet, &pub->publicArea.nameAlg);
787789
TPM2_Packet_ParseU32(packet, &pub->publicArea.objectAttributes);
788-
TPM2_Packet_ParseU16(packet, &pub->publicArea.authPolicy.size);
790+
791+
TPM2_Packet_ParseU16(packet, &wireSize);
792+
pub->publicArea.authPolicy.size = wireSize;
793+
if (pub->publicArea.authPolicy.size >
794+
(UINT16)sizeof(pub->publicArea.authPolicy.buffer)) {
795+
pub->publicArea.authPolicy.size =
796+
(UINT16)sizeof(pub->publicArea.authPolicy.buffer);
797+
}
789798
TPM2_Packet_ParseBytes(packet, pub->publicArea.authPolicy.buffer,
790799
pub->publicArea.authPolicy.size);
800+
if (wireSize > pub->publicArea.authPolicy.size) {
801+
TPM2_Packet_ParseBytes(packet, NULL,
802+
wireSize - pub->publicArea.authPolicy.size);
803+
}
791804

792805
TPM2_Packet_ParsePublicParms(packet, pub->publicArea.type,
793806
&pub->publicArea.parameters);
794807

795808
switch (pub->publicArea.type) {
796809
case TPM_ALG_KEYEDHASH:
797-
TPM2_Packet_ParseU16(packet, &pub->publicArea.unique.keyedHash.size);
798-
TPM2_Packet_ParseBytes(packet, pub->publicArea.unique.keyedHash.buffer,
810+
TPM2_Packet_ParseU16(packet, &wireSize);
811+
pub->publicArea.unique.keyedHash.size = wireSize;
812+
if (pub->publicArea.unique.keyedHash.size >
813+
(UINT16)sizeof(pub->publicArea.unique.keyedHash.buffer)) {
814+
pub->publicArea.unique.keyedHash.size =
815+
(UINT16)sizeof(pub->publicArea.unique.keyedHash.buffer);
816+
}
817+
TPM2_Packet_ParseBytes(packet,
818+
pub->publicArea.unique.keyedHash.buffer,
799819
pub->publicArea.unique.keyedHash.size);
820+
if (wireSize > pub->publicArea.unique.keyedHash.size) {
821+
TPM2_Packet_ParseBytes(packet, NULL,
822+
wireSize - pub->publicArea.unique.keyedHash.size);
823+
}
800824
break;
801825
case TPM_ALG_SYMCIPHER:
802-
TPM2_Packet_ParseU16(packet, &pub->publicArea.unique.sym.size);
803-
TPM2_Packet_ParseBytes(packet, pub->publicArea.unique.sym.buffer,
826+
TPM2_Packet_ParseU16(packet, &wireSize);
827+
pub->publicArea.unique.sym.size = wireSize;
828+
if (pub->publicArea.unique.sym.size >
829+
(UINT16)sizeof(pub->publicArea.unique.sym.buffer)) {
830+
pub->publicArea.unique.sym.size =
831+
(UINT16)sizeof(pub->publicArea.unique.sym.buffer);
832+
}
833+
TPM2_Packet_ParseBytes(packet,
834+
pub->publicArea.unique.sym.buffer,
804835
pub->publicArea.unique.sym.size);
836+
if (wireSize > pub->publicArea.unique.sym.size) {
837+
TPM2_Packet_ParseBytes(packet, NULL,
838+
wireSize - pub->publicArea.unique.sym.size);
839+
}
805840
break;
806841
case TPM_ALG_RSA:
807-
TPM2_Packet_ParseU16(packet, &pub->publicArea.unique.rsa.size);
808-
TPM2_Packet_ParseBytes(packet, pub->publicArea.unique.rsa.buffer,
842+
TPM2_Packet_ParseU16(packet, &wireSize);
843+
pub->publicArea.unique.rsa.size = wireSize;
844+
if (pub->publicArea.unique.rsa.size >
845+
(UINT16)sizeof(pub->publicArea.unique.rsa.buffer)) {
846+
pub->publicArea.unique.rsa.size =
847+
(UINT16)sizeof(pub->publicArea.unique.rsa.buffer);
848+
}
849+
TPM2_Packet_ParseBytes(packet,
850+
pub->publicArea.unique.rsa.buffer,
809851
pub->publicArea.unique.rsa.size);
852+
if (wireSize > pub->publicArea.unique.rsa.size) {
853+
TPM2_Packet_ParseBytes(packet, NULL,
854+
wireSize - pub->publicArea.unique.rsa.size);
855+
}
810856
break;
811857
case TPM_ALG_ECC:
812858
TPM2_Packet_ParseEccPoint(packet, &pub->publicArea.unique.ecc);

0 commit comments

Comments
 (0)