Validate GetProductInfo payload length

LinuxJedi · LinuxJedi · commit 4f6282b9e704 · 2025-10-21T16:11:24.000+01:00
Reject undersized SWTPM responses before copying product info to avoid signed underflow and out-of-bounds access.
diff --git a/src/tpm2.c b/src/tpm2.c
@@ -5483,9 +5483,16 @@ TPM_RC TPM2_GetProductInfo(uint8_t* info, uint16_t size)
              */
 
             /* start of product info starts at byte 26 */
-            if (size > packet.size - 26)
-                size = packet.size - 26;
-            XMEMCPY(info, &packet.buf[25], size);
+            if (packet.size <= 26) {
+                rc = TPM_RC_SIZE;
+            }
+            else if (size > 0) {
+                size_t payloadSz = (size_t)(packet.size - 26);
+                if (payloadSz > (size_t)size) {
+                    payloadSz = (size_t)size;
+                }
+                XMEMCPY(info, &packet.buf[25], payloadSz);
+            }
         }
         TPM2_ReleaseLock(ctx);
     }
