From 0672bd3b6affd414ac8721686a0ed1bef8fd73b3 Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date: Wed, 6 Nov 2019 16:35:59 -0500
Subject: [PATCH] tpm: Require a response to have minimum size of a valid
 response header
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Defend against a broken TPM 1.2 or TPM 2.0 that doesn't send at least
a full response header in the response but less than 10 bytes.

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/hw/tpm_drivers.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/hw/tpm_drivers.c b/src/hw/tpm_drivers.c
index e4770b3..2b5753c 100644
--- a/src/hw/tpm_drivers.c
+++ b/src/hw/tpm_drivers.c
@@ -620,7 +620,8 @@ tpmhw_transmit(u8 locty, struct tpm_req_header *req,
         return -1;
 
     irc = td->readresp(respbuffer, respbufferlen);
-    if (irc != 0)
+    if (irc != 0 ||
+        *respbufferlen < sizeof(struct tpm_rsp_header))
         return -1;
 
     td->ready();
-- 
2.39.5