Skip to content

Commit 92854c5

Browse files
dgarskedgarske
committed
Fix Fenrir F-2166: Add size validation in TPM2_Packet_ParseAttest
1 parent 6b59c25 commit 92854c5

1 file changed

Lines changed: 154 additions & 19 deletions

File tree

src/tpm2_packet.c

Lines changed: 154 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -973,6 +973,8 @@ void TPM2_Packet_ParseSignature(TPM2_Packet* packet, TPMT_SIGNATURE* sig)
973973

974974
void TPM2_Packet_ParseAttest(TPM2_Packet* packet, TPMS_ATTEST* out)
975975
{
976+
UINT16 wireSize;
977+
976978
XMEMSET(out, 0, sizeof(TPMS_ATTEST));
977979

978980
TPM2_Packet_ParseU32(packet, &out->magic);
@@ -985,13 +987,33 @@ void TPM2_Packet_ParseAttest(TPM2_Packet* packet, TPMS_ATTEST* out)
985987

986988
TPM2_Packet_ParseU16(packet, &out->type);
987989

988-
TPM2_Packet_ParseU16(packet, &out->qualifiedSigner.size);
990+
TPM2_Packet_ParseU16(packet, &wireSize);
991+
out->qualifiedSigner.size = wireSize;
992+
if (out->qualifiedSigner.size >
993+
(UINT16)sizeof(out->qualifiedSigner.name)) {
994+
out->qualifiedSigner.size =
995+
(UINT16)sizeof(out->qualifiedSigner.name);
996+
}
989997
TPM2_Packet_ParseBytes(packet, out->qualifiedSigner.name,
990998
out->qualifiedSigner.size);
999+
if (wireSize > out->qualifiedSigner.size) {
1000+
TPM2_Packet_ParseBytes(packet, NULL,
1001+
wireSize - out->qualifiedSigner.size);
1002+
}
9911003

992-
TPM2_Packet_ParseU16(packet, &out->extraData.size);
1004+
TPM2_Packet_ParseU16(packet, &wireSize);
1005+
out->extraData.size = wireSize;
1006+
if (out->extraData.size >
1007+
(UINT16)sizeof(out->extraData.buffer)) {
1008+
out->extraData.size =
1009+
(UINT16)sizeof(out->extraData.buffer);
1010+
}
9931011
TPM2_Packet_ParseBytes(packet, out->extraData.buffer,
9941012
out->extraData.size);
1013+
if (wireSize > out->extraData.size) {
1014+
TPM2_Packet_ParseBytes(packet, NULL,
1015+
wireSize - out->extraData.size);
1016+
}
9951017

9961018
TPM2_Packet_ParseU64(packet, &out->clockInfo.clock);
9971019
TPM2_Packet_ParseU32(packet, &out->clockInfo.resetCount);
@@ -1002,42 +1024,133 @@ void TPM2_Packet_ParseAttest(TPM2_Packet* packet, TPMS_ATTEST* out)
10021024

10031025
switch (out->type) {
10041026
case TPM_ST_ATTEST_CERTIFY:
1005-
TPM2_Packet_ParseU16(packet, &out->attested.certify.name.size);
1027+
TPM2_Packet_ParseU16(packet, &wireSize);
1028+
out->attested.certify.name.size = wireSize;
1029+
if (out->attested.certify.name.size >
1030+
(UINT16)sizeof(out->attested.certify.name.name)) {
1031+
out->attested.certify.name.size =
1032+
(UINT16)sizeof(out->attested.certify.name.name);
1033+
}
10061034
TPM2_Packet_ParseBytes(packet, out->attested.certify.name.name,
10071035
out->attested.certify.name.size);
1008-
TPM2_Packet_ParseU16(packet, &out->attested.certify.qualifiedName.size);
1009-
TPM2_Packet_ParseBytes(packet, out->attested.certify.qualifiedName.name,
1036+
if (wireSize > out->attested.certify.name.size) {
1037+
TPM2_Packet_ParseBytes(packet, NULL,
1038+
wireSize - out->attested.certify.name.size);
1039+
}
1040+
1041+
TPM2_Packet_ParseU16(packet, &wireSize);
1042+
out->attested.certify.qualifiedName.size = wireSize;
1043+
if (out->attested.certify.qualifiedName.size >
1044+
(UINT16)sizeof(out->attested.certify.qualifiedName.name)) {
1045+
out->attested.certify.qualifiedName.size =
1046+
(UINT16)sizeof(out->attested.certify.qualifiedName.name);
1047+
}
1048+
TPM2_Packet_ParseBytes(packet,
1049+
out->attested.certify.qualifiedName.name,
10101050
out->attested.certify.qualifiedName.size);
1051+
if (wireSize > out->attested.certify.qualifiedName.size) {
1052+
TPM2_Packet_ParseBytes(packet, NULL,
1053+
wireSize - out->attested.certify.qualifiedName.size);
1054+
}
10111055
break;
10121056
case TPM_ST_ATTEST_CREATION:
1013-
TPM2_Packet_ParseU16(packet, &out->attested.creation.objectName.size);
1014-
TPM2_Packet_ParseBytes(packet, out->attested.creation.objectName.name,
1057+
TPM2_Packet_ParseU16(packet, &wireSize);
1058+
out->attested.creation.objectName.size = wireSize;
1059+
if (out->attested.creation.objectName.size >
1060+
(UINT16)sizeof(out->attested.creation.objectName.name)) {
1061+
out->attested.creation.objectName.size =
1062+
(UINT16)sizeof(out->attested.creation.objectName.name);
1063+
}
1064+
TPM2_Packet_ParseBytes(packet,
1065+
out->attested.creation.objectName.name,
10151066
out->attested.creation.objectName.size);
1016-
TPM2_Packet_ParseU16(packet, &out->attested.creation.creationHash.size);
1017-
TPM2_Packet_ParseBytes(packet, out->attested.creation.creationHash.buffer,
1067+
if (wireSize > out->attested.creation.objectName.size) {
1068+
TPM2_Packet_ParseBytes(packet, NULL,
1069+
wireSize - out->attested.creation.objectName.size);
1070+
}
1071+
1072+
TPM2_Packet_ParseU16(packet, &wireSize);
1073+
out->attested.creation.creationHash.size = wireSize;
1074+
if (out->attested.creation.creationHash.size >
1075+
(UINT16)sizeof(out->attested.creation.creationHash.buffer)) {
1076+
out->attested.creation.creationHash.size =
1077+
(UINT16)sizeof(out->attested.creation.creationHash.buffer);
1078+
}
1079+
TPM2_Packet_ParseBytes(packet,
1080+
out->attested.creation.creationHash.buffer,
10181081
out->attested.creation.creationHash.size);
1082+
if (wireSize > out->attested.creation.creationHash.size) {
1083+
TPM2_Packet_ParseBytes(packet, NULL,
1084+
wireSize - out->attested.creation.creationHash.size);
1085+
}
10191086
break;
10201087
case TPM_ST_ATTEST_QUOTE:
10211088
TPM2_Packet_ParsePCR(packet, &out->attested.quote.pcrSelect);
1022-
TPM2_Packet_ParseU16(packet, &out->attested.quote.pcrDigest.size);
1023-
TPM2_Packet_ParseBytes(packet, out->attested.quote.pcrDigest.buffer,
1089+
TPM2_Packet_ParseU16(packet, &wireSize);
1090+
out->attested.quote.pcrDigest.size = wireSize;
1091+
if (out->attested.quote.pcrDigest.size >
1092+
(UINT16)sizeof(out->attested.quote.pcrDigest.buffer)) {
1093+
out->attested.quote.pcrDigest.size =
1094+
(UINT16)sizeof(out->attested.quote.pcrDigest.buffer);
1095+
}
1096+
TPM2_Packet_ParseBytes(packet,
1097+
out->attested.quote.pcrDigest.buffer,
10241098
out->attested.quote.pcrDigest.size);
1099+
if (wireSize > out->attested.quote.pcrDigest.size) {
1100+
TPM2_Packet_ParseBytes(packet, NULL,
1101+
wireSize - out->attested.quote.pcrDigest.size);
1102+
}
10251103
break;
10261104
case TPM_ST_ATTEST_COMMAND_AUDIT:
10271105
TPM2_Packet_ParseU64(packet, &out->attested.commandAudit.auditCounter);
10281106
TPM2_Packet_ParseU16(packet, &out->attested.commandAudit.digestAlg);
1029-
TPM2_Packet_ParseU16(packet, &out->attested.commandAudit.auditDigest.size);
1030-
TPM2_Packet_ParseBytes(packet, out->attested.commandAudit.auditDigest.buffer,
1107+
1108+
TPM2_Packet_ParseU16(packet, &wireSize);
1109+
out->attested.commandAudit.auditDigest.size = wireSize;
1110+
if (out->attested.commandAudit.auditDigest.size >
1111+
(UINT16)sizeof(out->attested.commandAudit.auditDigest.buffer)) {
1112+
out->attested.commandAudit.auditDigest.size =
1113+
(UINT16)sizeof(out->attested.commandAudit.auditDigest.buffer);
1114+
}
1115+
TPM2_Packet_ParseBytes(packet,
1116+
out->attested.commandAudit.auditDigest.buffer,
10311117
out->attested.commandAudit.auditDigest.size);
1032-
TPM2_Packet_ParseU16(packet, &out->attested.commandAudit.commandDigest.size);
1033-
TPM2_Packet_ParseBytes(packet, out->attested.commandAudit.commandDigest.buffer,
1118+
if (wireSize > out->attested.commandAudit.auditDigest.size) {
1119+
TPM2_Packet_ParseBytes(packet, NULL,
1120+
wireSize - out->attested.commandAudit.auditDigest.size);
1121+
}
1122+
1123+
TPM2_Packet_ParseU16(packet, &wireSize);
1124+
out->attested.commandAudit.commandDigest.size = wireSize;
1125+
if (out->attested.commandAudit.commandDigest.size >
1126+
(UINT16)sizeof(out->attested.commandAudit.commandDigest.buffer)) {
1127+
out->attested.commandAudit.commandDigest.size =
1128+
(UINT16)sizeof(out->attested.commandAudit.commandDigest.buffer);
1129+
}
1130+
TPM2_Packet_ParseBytes(packet,
1131+
out->attested.commandAudit.commandDigest.buffer,
10341132
out->attested.commandAudit.commandDigest.size);
1133+
if (wireSize > out->attested.commandAudit.commandDigest.size) {
1134+
TPM2_Packet_ParseBytes(packet, NULL,
1135+
wireSize - out->attested.commandAudit.commandDigest.size);
1136+
}
10351137
break;
10361138
case TPM_ST_ATTEST_SESSION_AUDIT:
10371139
TPM2_Packet_ParseU8(packet, &out->attested.sessionAudit.exclusiveSession);
1038-
TPM2_Packet_ParseU16(packet, &out->attested.sessionAudit.sessionDigest.size);
1039-
TPM2_Packet_ParseBytes(packet, out->attested.sessionAudit.sessionDigest.buffer,
1140+
TPM2_Packet_ParseU16(packet, &wireSize);
1141+
out->attested.sessionAudit.sessionDigest.size = wireSize;
1142+
if (out->attested.sessionAudit.sessionDigest.size >
1143+
(UINT16)sizeof(out->attested.sessionAudit.sessionDigest.buffer)) {
1144+
out->attested.sessionAudit.sessionDigest.size =
1145+
(UINT16)sizeof(out->attested.sessionAudit.sessionDigest.buffer);
1146+
}
1147+
TPM2_Packet_ParseBytes(packet,
1148+
out->attested.sessionAudit.sessionDigest.buffer,
10401149
out->attested.sessionAudit.sessionDigest.size);
1150+
if (wireSize > out->attested.sessionAudit.sessionDigest.size) {
1151+
TPM2_Packet_ParseBytes(packet, NULL,
1152+
wireSize - out->attested.sessionAudit.sessionDigest.size);
1153+
}
10411154
break;
10421155
case TPM_ST_ATTEST_TIME:
10431156
TPM2_Packet_ParseU64(packet, &out->attested.time.time.time);
@@ -1048,13 +1161,35 @@ void TPM2_Packet_ParseAttest(TPM2_Packet* packet, TPMS_ATTEST* out)
10481161
TPM2_Packet_ParseU64(packet, &out->attested.time.firmwareVersion);
10491162
break;
10501163
case TPM_ST_ATTEST_NV:
1051-
TPM2_Packet_ParseU16(packet, &out->attested.nv.indexName.size);
1164+
TPM2_Packet_ParseU16(packet, &wireSize);
1165+
out->attested.nv.indexName.size = wireSize;
1166+
if (out->attested.nv.indexName.size >
1167+
(UINT16)sizeof(out->attested.nv.indexName.name)) {
1168+
out->attested.nv.indexName.size =
1169+
(UINT16)sizeof(out->attested.nv.indexName.name);
1170+
}
10521171
TPM2_Packet_ParseBytes(packet, out->attested.nv.indexName.name,
10531172
out->attested.nv.indexName.size);
1173+
if (wireSize > out->attested.nv.indexName.size) {
1174+
TPM2_Packet_ParseBytes(packet, NULL,
1175+
wireSize - out->attested.nv.indexName.size);
1176+
}
1177+
10541178
TPM2_Packet_ParseU16(packet, &out->attested.nv.offset);
1055-
TPM2_Packet_ParseU16(packet, &out->attested.nv.nvContents.size);
1179+
1180+
TPM2_Packet_ParseU16(packet, &wireSize);
1181+
out->attested.nv.nvContents.size = wireSize;
1182+
if (out->attested.nv.nvContents.size >
1183+
(UINT16)sizeof(out->attested.nv.nvContents.buffer)) {
1184+
out->attested.nv.nvContents.size =
1185+
(UINT16)sizeof(out->attested.nv.nvContents.buffer);
1186+
}
10561187
TPM2_Packet_ParseBytes(packet, out->attested.nv.nvContents.buffer,
10571188
out->attested.nv.nvContents.size);
1189+
if (wireSize > out->attested.nv.nvContents.size) {
1190+
TPM2_Packet_ParseBytes(packet, NULL,
1191+
wireSize - out->attested.nv.nvContents.size);
1192+
}
10581193
break;
10591194
default:
10601195
/* unknown attestation type */

0 commit comments

Comments
 (0)