From f19bf6c6dceda814fab9145f9b294b95a038b22d Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date: Tue, 27 Mar 2018 18:07:46 -0400
Subject: [PATCH] tpm2: Check against unreasonably large datasize value from
 stream

Check the read datasize against an unreasonably large value and
log in case we encounter a bad value. This particular value cannot
be larger than 64k and a few bytes.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
---
 src/tpm2/NVMarshal.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/tpm2/NVMarshal.c b/src/tpm2/NVMarshal.c
index 3e8caaae..6ac9e506 100644
--- a/src/tpm2/NVMarshal.c
+++ b/src/tpm2/NVMarshal.c
@@ -4108,6 +4108,14 @@ USER_NVRAM_Unmarshal(BYTE **buffer, INT32 *size)
                 if (rc == TPM_RC_SUCCESS) {
                     rc = UINT32_Unmarshal(&datasize, buffer, size);
                 }
+                if (rc == TPM_RC_SUCCESS) {
+                    /* datasize cannot exceed 64k + a few bytes */
+                    if (datasize > (0x10000 + 0x100)) {
+                        TPMLIB_LogTPM2Error("datasize for NV_INDEX too "
+                                            "large: %u\n", datasize);
+                        rc = TPM_RC_SIZE;
+                    }
+                }
                 if (rc == TPM_RC_SUCCESS &&
                     o + offset + datasize > array_size) {
                     o += offset + datasize;