bufsiz contains the length of the buffer, whereas bufvalid contains the
number of valid bytes within the buffer. Therefore, bufvalid should be used
as a limit when reading from the buffer and bufsize when writing to it.
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Alexander Steffen <Alexander.Steffen@xxxxxxxxxxxx>
---
drivers/char/tpm/tpm-interface.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c
index a452cd0..5ef8eb3 100644
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -393,19 +393,16 @@ ssize_t tpm_transmit(struct tpm_chip *chip, struct tpm_space *space,
unsigned long stop;
bool need_locality;
- if (!tpm_validate_command(chip, space, buf, bufsiz))
+ if (!tpm_validate_command(chip, space, buf, bufvalid))
return -EINVAL;
- if (bufsiz > TPM_BUFSIZE)
- bufsiz = TPM_BUFSIZE;
-
count = be32_to_cpu(*((__be32 *) (buf + 2)));
ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
if (count == 0)
return -ENODATA;
- if (count > bufsiz || count > bufvalid) {
+ if (count > bufvalid) {
dev_err(&chip->dev,
- "invalid count value %x %zx\n", count, bufsiz);
+ "invalid count value %x %zx\n", count, bufvalid);
return -E2BIG;
}
--
2.7.4