/** @file \r
This module implements TCG EFI Protocol.\r
- \r
+ \r
+Caution: This module requires additional review when modified.\r
+This driver will have external input - TcgDxePassThroughToTpm\r
+This external input must be validated carefully to avoid security issue like\r
+buffer overflow, integer overflow.\r
+\r
+TcgDxePassThroughToTpm() will receive untrusted input and do basic validation.\r
+\r
Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials \r
are licensed and made available under the terms and conditions of the BSD License \r
{\r
TCG_DXE_DATA *TcgData;\r
\r
+ if (TpmInputParameterBlock == NULL || \r
+ TpmOutputParameterBlock == NULL || \r
+ TpmInputParameterBlockSize == 0 ||\r
+ TpmOutputParameterBlockSize == 0) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
TcgData = TCG_DXE_DATA_FROM_THIS (This);\r
\r
return TisPcExecute (\r
return EFI_INVALID_PARAMETER;\r
}\r
\r
+ //\r
+ // Check input to avoid overflow.\r
+ //\r
+ if ((UINT32) (~0)- *DataLength < (UINT32)Size) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
if(*DataLength + (UINT32) Size > TPMCMDBUFLENGTH) {\r
return EFI_BUFFER_TOO_SMALL;\r
}\r
\r
case 'r':\r
Size = VA_ARG (*ap, UINTN);\r
- if(*DataIndex + (UINT32) Size <= RespSize) {\r
- break;\r
+ //\r
+ // If overflowed, which means Size is big enough for Response data. \r
+ // skip this check. Copy the whole data \r
+ //\r
+ if ((UINT32) (~0)- *DataIndex >= (UINT32)Size) {\r
+ if(*DataIndex + (UINT32) Size <= RespSize) {\r
+ break;\r
+ }\r
}\r
+\r
*DataFinished = TRUE;\r
if (*DataIndex >= RespSize) {\r
return EFI_SUCCESS;\r