From 7ba45838b023ee90e9db450e403f74589dcc3160 Mon Sep 17 00:00:00 2001 From: Steven Bellock Date: Mon, 29 May 2023 11:31:11 -0700 Subject: [PATCH] Prevent undefined behavior Fix #2068 in 2.3 branch. Signed-off-by: Steven Bellock --- include/internal/libspdm_common_lib.h | 2 ++ library/spdm_requester_lib/libspdm_req_get_capabilities.c | 5 +++++ .../spdm_requester_lib/libspdm_req_handle_error_response.c | 5 ++++- library/spdm_requester_lib/libspdm_req_send_receive.c | 2 +- library/spdm_responder_lib/libspdm_rsp_capabilities.c | 7 +++++++ 5 files changed, 19 insertions(+), 2 deletions(-) diff --git a/include/internal/libspdm_common_lib.h b/include/internal/libspdm_common_lib.h index f33d915985c..142798389f1 100644 --- a/include/internal/libspdm_common_lib.h +++ b/include/internal/libspdm_common_lib.h @@ -14,6 +14,8 @@ #include "library/spdm_device_secret_lib.h" #define INVALID_SESSION_ID 0 +#define LIBSPDM_MAX_CT_EXPONENT 31 +#define LIBSPDM_MAX_RDT_EXPONENT 31 typedef struct { uint8_t spdm_version_count; diff --git a/library/spdm_requester_lib/libspdm_req_get_capabilities.c b/library/spdm_requester_lib/libspdm_req_get_capabilities.c index a4722955d99..11d5b0ee710 100644 --- a/library/spdm_requester_lib/libspdm_req_get_capabilities.c +++ b/library/spdm_requester_lib/libspdm_req_get_capabilities.c @@ -279,6 +279,11 @@ static libspdm_return_t libspdm_try_get_capabilities(libspdm_context_t *spdm_con } } + if (spdm_response->ct_exponent > LIBSPDM_MAX_CT_EXPONENT) { + status = LIBSPDM_STATUS_INVALID_MSG_FIELD; + goto receive_done; + } + /* -=[Process Response Phase]=- */ status = libspdm_append_message_a(spdm_context, spdm_request, spdm_request_size); if (LIBSPDM_STATUS_IS_ERROR(status)) { diff --git a/library/spdm_requester_lib/libspdm_req_handle_error_response.c b/library/spdm_requester_lib/libspdm_req_handle_error_response.c index 542b6884bc7..03503e8e7de 100644 --- a/library/spdm_requester_lib/libspdm_req_handle_error_response.c +++ b/library/spdm_requester_lib/libspdm_req_handle_error_response.c @@ -167,13 +167,16 @@ static libspdm_return_t libspdm_handle_response_not_ready(libspdm_context_t *spd if (extend_error_data->request_code != original_request_code) { return LIBSPDM_STATUS_INVALID_MSG_FIELD; } + if (extend_error_data->rd_exponent > LIBSPDM_MAX_RDT_EXPONENT) { + return LIBSPDM_STATUS_INVALID_MSG_FIELD; + } spdm_context->error_data.rd_exponent = extend_error_data->rd_exponent; spdm_context->error_data.request_code = extend_error_data->request_code; spdm_context->error_data.token = extend_error_data->token; spdm_context->error_data.rd_tm = extend_error_data->rd_tm; - libspdm_sleep_in_us((2 << extend_error_data->rd_exponent)); + libspdm_sleep_in_us((uint64_t)1 << extend_error_data->rd_exponent); return libspdm_requester_respond_if_ready(spdm_context, session_id, response_size, response, expected_response_code, diff --git a/library/spdm_requester_lib/libspdm_req_send_receive.c b/library/spdm_requester_lib/libspdm_req_send_receive.c index 6272dff9baf..2659ff50b64 100644 --- a/library/spdm_requester_lib/libspdm_req_send_receive.c +++ b/library/spdm_requester_lib/libspdm_req_send_receive.c @@ -130,7 +130,7 @@ libspdm_return_t libspdm_receive_response(void *context, const uint32_t *session if (spdm_context->crypto_request) { timeout = spdm_context->local_context.capability.rtt + - ((uint64_t)2 << spdm_context->connection_info.capability.ct_exponent); + ((uint64_t)1 << spdm_context->connection_info.capability.ct_exponent); } else { timeout = spdm_context->local_context.capability.rtt + spdm_context->local_context.capability.st1; diff --git a/library/spdm_responder_lib/libspdm_rsp_capabilities.c b/library/spdm_responder_lib/libspdm_rsp_capabilities.c index 188b8f56a90..16499bd3d60 100644 --- a/library/spdm_responder_lib/libspdm_rsp_capabilities.c +++ b/library/spdm_responder_lib/libspdm_rsp_capabilities.c @@ -189,6 +189,13 @@ libspdm_return_t libspdm_get_response_capabilities(void *context, response_size, response); } } + if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_11) { + if (spdm_request->ct_exponent > LIBSPDM_MAX_CT_EXPONENT) { + return libspdm_generate_error_response(spdm_context, + SPDM_ERROR_CODE_INVALID_REQUEST, 0, + response_size, response); + } + } libspdm_reset_message_buffer_via_request_code(spdm_context, NULL, spdm_request->header.request_response_code);