swtpm: Use uint64_t to avoid integer wrap-around when adding a uint32_t To avoid an integer wrap-around use uint64_t for 'offset' so that adding an untrusted 32-bit number will allow for comparison against the trusted 'buffer_len' 32-bit number: if (offset + td->tlv.length > buffer_len) return NULL; This avoids possible out-of-bound accesses and crashes when reading specially crafted TPM state input data that have a tlv.length that is so large that is causes an integer overflow. Resolves: https://github.com/stefanberger/swtpm/issues/678 Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

commit: 2ee76e946c8e335c38c7a1c5c9cdfae5236d6237 [log] [tgz]
author: Stefan Berger <stefanb@linux.ibm.com> Fri Mar 25 23:28:21 2022 -0400
committer: Stefan Berger <stefanb@us.ibm.com> Wed Mar 30 15:51:54 2022 -0400
tree: 9818e83558faeb5ef5b3be76404ff55728294406
parent: e9c0ca92f7bc54cf853943b3ab5f72a7b66cdb75 [diff]
diff --git a/src/swtpm/tlv.c b/src/swtpm/tlv.c
index fabf207..a46b361 100644
--- a/src/swtpm/tlv.c
+++ b/src/swtpm/tlv.c

@@ -126,7 +126,7 @@
 tlv_data_find_tag(const unsigned char *buffer, uint32_t buffer_len,
                   uint16_t tag, tlv_data *td)
 {
-    uint32_t offset = 0;
+    uint64_t offset = 0; /* uint64_t to prevent integer overflow */
 
     while (offset < buffer_len) {
         if (offset + sizeof(td->tlv) > buffer_len)
commit	2ee76e946c8e335c38c7a1c5c9cdfae5236d6237	[log] [tgz]
author	Stefan Berger <stefanb@linux.ibm.com>	Fri Mar 25 23:28:21 2022 -0400
committer	Stefan Berger <stefanb@us.ibm.com>	Wed Mar 30 15:51:54 2022 -0400
tree	9818e83558faeb5ef5b3be76404ff55728294406
parent	e9c0ca92f7bc54cf853943b3ab5f72a7b66cdb75 [diff]