From 77d4592e3eec9ec2c7932586f41f925b43ecc5ba Mon Sep 17 00:00:00 2001 From: Imran Desai Date: Sun, 29 Mar 2020 10:22:42 -0700 Subject: [PATCH] tools/tpm2_nvcertify.c: Fix incompatible pointer cast that may cause memory leak Pointer "&ctx.size" and "&ctx.offset" points to an object whose effective type is "unsigned short" (16 bits, unsigned) but is dereferenced as a wider "unsigned int" (32 bits, unsigned). This may lead to memory corruption. Signed-off-by: Imran Desai --- tools/tpm2_nvcertify.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/tools/tpm2_nvcertify.c b/tools/tpm2_nvcertify.c index b49f38dbff20..414cbea85574 100644 --- a/tools/tpm2_nvcertify.c +++ b/tools/tpm2_nvcertify.c @@ -80,6 +80,7 @@ static bool set_signature_format(char *value) { static bool on_option(char key, char *value) { bool result = true; + uint32_t input_value; switch (key) { case 'C': @@ -110,18 +111,30 @@ static bool on_option(char key, char *value) { ctx.policy_qualifier_arg = value; break; case 0: - result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.size); + result = tpm2_util_string_to_uint32(value, &input_value); if (!result) { LOG_ERR("Could not convert size to number, got: \"%s\"", value); return false; } + if (input_value > UINT16_MAX) { + LOG_ERR("Specified size is larger than that allowed by command"); + return false; + } else { + ctx.size = input_value; + } break; case 1: - result = tpm2_util_string_to_uint32(value, (uint32_t*)&ctx.offset); + result = tpm2_util_string_to_uint32(value, &input_value); if (!result) { LOG_ERR("Could not convert offset to number, got: \"%s\"", value); return false; } + if (input_value > UINT16_MAX) { + LOG_ERR("Specified offset is larger than that allowed by command"); + return false; + } else { + ctx.offset = input_value; + } break; case 2: ctx.certify_info_path = value; -- 2.31.0