swtpm: Use uint64_t to avoid integer wrap-around when adding a uint32_t
To avoid an integer wrap-around use uint64_t for 'offset' so that adding
an untrusted 32-bit number will allow for comparison against the trusted
'buffer_len' 32-bit number:
if (offset + td->tlv.length > buffer_len)
return NULL;
This avoids possible out-of-bound accesses and crashes when reading
specially crafted TPM state input data that have a tlv.length that is so
large that is causes an integer overflow.
Resolves: https://github.com/stefanberger/swtpm/issues/678
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/src/swtpm/tlv.c b/src/swtpm/tlv.c
index fabf207..a46b361 100644
--- a/src/swtpm/tlv.c
+++ b/src/swtpm/tlv.c
@@ -126,7 +126,7 @@
tlv_data_find_tag(const unsigned char *buffer, uint32_t buffer_len,
uint16_t tag, tlv_data *td)
{
- uint32_t offset = 0;
+ uint64_t offset = 0; /* uint64_t to prevent integer overflow */
while (offset < buffer_len) {
if (offset + sizeof(td->tlv) > buffer_len)