> > diff --git a/drivers/char/tpm/tpm-dev-common.c > > b/drivers/char/tpm/tpm-dev-common.c > > index 610638a..c39b581 100644 > > --- a/drivers/char/tpm/tpm-dev-common.c > > +++ b/drivers/char/tpm/tpm-dev-common.c > > @@ -119,7 +119,7 @@ ssize_t tpm_common_write(struct file *file, const > char __user *buf, > > return -EPIPE; > > } > > out_size = tpm_transmit(priv->chip, space, priv->data_buffer, > > - sizeof(priv->data_buffer), 0); > > + sizeof(priv->data_buffer), in_size, 0); > > Why you couldn't just > > unsigned int bufsiz; > > /* ... */ > > bufsiz = sizeof(priv->data_buffer); > if (in_size < bufsiz) > bufsiz = in_size; > > out_size = tpm_transmit(priv->chip, space, priv->data_buffer, bufsiz, 0); Because the code needs to know both how large the buffer is (in order to avoid buffer overflows when writing to it) and how much of the data in the buffer is valid (in order not to send random junk to the TPM). This is made more explicit in PATCH 2/2. Your example fails as soon as the response is longer than the command. Alexander