tpm: Require a response to have minimum size of a valid response header

Defend against a broken TPM 1.2 or TPM 2.0 that doesn't send at least
a full response header in the response but less than 10 bytes.

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

diff --git a/src/hw/tpm_drivers.c b/src/hw/tpm_drivers.c
index e4770b35e4a5a5f5d2d70c41c96d66f8e01501bd..2b5753c133fc74b7af52b74b5f427a27815d03d5 100644 (file)
--- a/src/hw/tpm_drivers.c
+++ b/src/hw/tpm_drivers.c
@@ -620,7 +620,8 @@ tpmhw_transmit(u8 locty, struct tpm_req_header *req,
         return -1;
 
     irc = td->readresp(respbuffer, respbufferlen);
-    if (irc != 0)
+    if (irc != 0 ||
+        *respbufferlen < sizeof(struct tpm_rsp_header))
         return -1;
 
     td->ready();