diff --git a/src/tss2-fapi/api/Fapi_WriteAuthorizeNV.c b/src/tss2-fapi/api/Fapi_WriteAuthorizeNV.c index 4c9918d6a..c5fb99ea0 100644 --- a/src/tss2-fapi/api/Fapi_WriteAuthorizeNV.c +++ b/src/tss2-fapi/api/Fapi_WriteAuthorizeNV.c @@ -237,7 +237,6 @@ Fapi_WriteAuthorizeNv_Finish( TSS2_RC r; const size_t maxNvSize = sizeof(TPMU_HA) + sizeof(TPMI_ALG_HASH); - BYTE nvBuffer[maxNvSize]; size_t offset = 0; /* Check for NULL parameters */ @@ -252,6 +251,7 @@ Fapi_WriteAuthorizeNv_Finish( switch (context->state) { statecase(context->state, WRITE_AUTHORIZE_NV_READ_NV) + nvCmd->nv_buffer = NULL; /* First check whether the file in object store can be updated. */ r = ifapi_keystore_check_writeable(&context->keystore, nvCmd->nvPath); goto_if_error_reset_state(r, @@ -285,25 +285,29 @@ Fapi_WriteAuthorizeNv_Finish( statecase(context->state, WRITE_AUTHORIZE_NV_WRITE_NV_RAM_PREPARE) + nvCmd->nv_buffer = malloc(maxNvSize); + if (!nvCmd->nv_buffer) { + goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup); + } + /* Copy hash alg followed by digest into a buffer to be written to NV ram */ r = Tss2_MU_TPMI_ALG_HASH_Marshal( object->misc.nv.public.nvPublic.nameAlg, - &nvBuffer[0], maxNvSize, &offset); + &nvCmd->nv_buffer[0], maxNvSize, &offset); goto_if_error_reset_state(r, "FAPI marshal hash alg", error_cleanup); void * currentDigest = &policy->policyDigests.digests[command->digest_idx].digest; - memcpy(&nvBuffer[offset], currentDigest, command->hash_size); + memcpy(&nvCmd->nv_buffer[offset], currentDigest, command->hash_size); /* Store these data in the context to be used for re-entry on nv_write. */ - nvCmd->data = &nvBuffer[0]; nvCmd->numBytes = command->hash_size + sizeof(TPMI_ALG_HASH); fallthrough; statecase(context->state, WRITE_AUTHORIZE_NV_WRITE_NV_RAM) /* Perform the actual NV Write operation. */ r = ifapi_nv_write(context, nvCmd->nvPath, 0, - nvCmd->data, context->nv_cmd.numBytes); + nvCmd->nv_buffer, context->nv_cmd.numBytes); return_try_again(r); goto_if_error_reset_state(r, " FAPI NV Write", error_cleanup); @@ -355,6 +359,7 @@ Fapi_WriteAuthorizeNv_Finish( /* Cleanup any intermediate results and state stored in the context. */ SAFE_FREE(command->policyPath); SAFE_FREE(nvCmd->nvPath); + SAFE_FREE(nvCmd->nv_buffer); ifapi_session_clean(context); ifapi_cleanup_policy(policy); ifapi_cleanup_ifapi_object(&context->loadKey.auth_object); diff --git a/src/tss2-fapi/fapi_int.h b/src/tss2-fapi/fapi_int.h index b6c26e9e7..ed75c317a 100644 --- a/src/tss2-fapi/fapi_int.h +++ b/src/tss2-fapi/fapi_int.h @@ -226,6 +226,7 @@ typedef struct { UINT16 offset; /**< Offset in TPM memory TPM */ size_t data_idx; /**< Offset in the read buffer */ const uint8_t *data; /**< Buffer for data to be written */ + uint8_t *nv_buffer; /**< Buffer for data to be written */ uint8_t *rdata; /**< Buffer for data to be read */ size_t size; /**< size of rdata */ IFAPI_OBJECT auth_object; /**< Object used for authentication */ diff --git a/src/tss2-fapi/ifapi_helpers.c b/src/tss2-fapi/ifapi_helpers.c index e7f6eeeb7..0b5ec7113 100644 --- a/src/tss2-fapi/ifapi_helpers.c +++ b/src/tss2-fapi/ifapi_helpers.c @@ -85,8 +85,8 @@ ifapi_set_key_flags(const char *type, bool policy, IFAPI_KEY_TEMPLATE *template) } else if (strcasecmp(flag, "noda") == 0) { attributes |= TPMA_OBJECT_NODA; } else if (strncmp(flag, "0x", 2) == 0) { - sscanf(&flag[2], "%"SCNx32 "%n", &handle, &pos); - if ((size_t)pos != strlen(flag) - 2) { + if (sscanf(&flag[2], "%"SCNx32 "%n", &handle, &pos) < 1 || + (size_t)pos != strlen(flag) - 2) { goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Invalid flag: %s", error, flag); } @@ -182,8 +182,8 @@ ifapi_set_nv_flags(const char *type, IFAPI_NV_TEMPLATE *template, } else if (strcasecmp(flag, "noda") == 0) { attributes |= TPMA_NV_NO_DA; } else if (strncmp(flag, "0x", 2) == 0) { - sscanf(&flag[2], "%"SCNx32 "%n", &handle, &pos); - if ((size_t)pos != strlen(flag) - 2) { + if (sscanf(&flag[2], "%"SCNx32 "%n", &handle, &pos) < 1 || + (size_t)pos != strlen(flag) - 2) { goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Invalid flag: %s", error, flag); } diff --git a/src/tss2-mu/tpm2b-types.c b/src/tss2-mu/tpm2b-types.c index 6d55fb360..969a4cba6 100644 --- a/src/tss2-mu/tpm2b-types.c +++ b/src/tss2-mu/tpm2b-types.c @@ -147,7 +147,7 @@ TSS2_RC Tss2_MU_##type##_Unmarshal(uint8_t const buffer[], size_t buffer_size, \ \ if (dest != NULL) { \ dest->size = size; \ - memcpy(((TPM2B *)dest)->buffer, &buffer[local_offset], size); \ + memcpy(&dest->buf_name, &buffer[local_offset], size); \ } \ local_offset += size; \ if (offset != NULL) { \