tpm: Check outgoing command size

In tpm_sendrecv_command() the command buffer is passed in. If a mistake is
somehow made in setting this up, the size could be out of range. Add a
sanity check for this.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Coverity (CID: 331152)

diff --git a/lib/tpm-common.c b/lib/tpm-common.c
index 4277846..82ffdc5 100644 (file)
--- a/lib/tpm-common.c
+++ b/lib/tpm-common.c
@@ -176,6 +176,11 @@ u32 tpm_sendrecv_command(struct udevice *dev, const void *command,
        }
 
        size = tpm_command_size(command);
+
+       /* sanity check, which also helps coverity */
+       if (size > COMMAND_BUFFER_SIZE)
+               return log_msg_ret("size", -E2BIG);
+
        log_debug("TPM request [size:%d]: ", size);
        for (i = 0; i < size; i++)
                log_debug("%02x ", ((u8 *)command)[i]);