Skip to content

Commit

Permalink
Prevent undefined behavior
Browse files Browse the repository at this point in the history
Fix #2068 in 2.3 branch.

Signed-off-by: Steven Bellock <[email protected]>
  • Loading branch information
steven-bellock authored and jyao1 committed May 30, 2023
1 parent 2cc5316 commit 7ba4583
Show file tree
Hide file tree
Showing 5 changed files with 19 additions and 2 deletions.
2 changes: 2 additions & 0 deletions include/internal/libspdm_common_lib.h
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@
#include "library/spdm_device_secret_lib.h"

#define INVALID_SESSION_ID 0
#define LIBSPDM_MAX_CT_EXPONENT 31
#define LIBSPDM_MAX_RDT_EXPONENT 31

typedef struct {
uint8_t spdm_version_count;
Expand Down
5 changes: 5 additions & 0 deletions library/spdm_requester_lib/libspdm_req_get_capabilities.c
Original file line number Diff line number Diff line change
Expand Up @@ -279,6 +279,11 @@ static libspdm_return_t libspdm_try_get_capabilities(libspdm_context_t *spdm_con
}
}

if (spdm_response->ct_exponent > LIBSPDM_MAX_CT_EXPONENT) {
status = LIBSPDM_STATUS_INVALID_MSG_FIELD;
goto receive_done;
}

/* -=[Process Response Phase]=- */
status = libspdm_append_message_a(spdm_context, spdm_request, spdm_request_size);
if (LIBSPDM_STATUS_IS_ERROR(status)) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -167,13 +167,16 @@ static libspdm_return_t libspdm_handle_response_not_ready(libspdm_context_t *spd
if (extend_error_data->request_code != original_request_code) {
return LIBSPDM_STATUS_INVALID_MSG_FIELD;
}
if (extend_error_data->rd_exponent > LIBSPDM_MAX_RDT_EXPONENT) {
return LIBSPDM_STATUS_INVALID_MSG_FIELD;
}

spdm_context->error_data.rd_exponent = extend_error_data->rd_exponent;
spdm_context->error_data.request_code = extend_error_data->request_code;
spdm_context->error_data.token = extend_error_data->token;
spdm_context->error_data.rd_tm = extend_error_data->rd_tm;

libspdm_sleep_in_us((2 << extend_error_data->rd_exponent));
libspdm_sleep_in_us((uint64_t)1 << extend_error_data->rd_exponent);
return libspdm_requester_respond_if_ready(spdm_context, session_id,
response_size, response,
expected_response_code,
Expand Down
2 changes: 1 addition & 1 deletion library/spdm_requester_lib/libspdm_req_send_receive.c
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ libspdm_return_t libspdm_receive_response(void *context, const uint32_t *session

if (spdm_context->crypto_request) {
timeout = spdm_context->local_context.capability.rtt +
((uint64_t)2 << spdm_context->connection_info.capability.ct_exponent);
((uint64_t)1 << spdm_context->connection_info.capability.ct_exponent);
} else {
timeout = spdm_context->local_context.capability.rtt +
spdm_context->local_context.capability.st1;
Expand Down
7 changes: 7 additions & 0 deletions library/spdm_responder_lib/libspdm_rsp_capabilities.c
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,13 @@ libspdm_return_t libspdm_get_response_capabilities(void *context,
response_size, response);
}
}
if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_11) {
if (spdm_request->ct_exponent > LIBSPDM_MAX_CT_EXPONENT) {
return libspdm_generate_error_response(spdm_context,
SPDM_ERROR_CODE_INVALID_REQUEST, 0,
response_size, response);
}
}

libspdm_reset_message_buffer_via_request_code(spdm_context, NULL,
spdm_request->header.request_response_code);
Expand Down

0 comments on commit 7ba4583

Please sign in to comment.