From 3b354b197a4e5d23dddfc9733529c69db8cab07d Mon Sep 17 00:00:00 2001 From: Neil Shipp Date: Thu, 1 Oct 2020 17:02:36 -0700 Subject: core: Fix RPMB fat entry cache buffer overflow Ensure that fat_entry_dir_update can only update entries less than the current cache size and not just the maximum size limit of the cache. Signed-off-by: Neil Shipp Reviewed-by: Joakim Bech Reviewed-by: Etienne Carriere --- core/tee/tee_rpmb_fs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'core/tee') diff --git a/core/tee/tee_rpmb_fs.c b/core/tee/tee_rpmb_fs.c index cbf3f3c0..bea18f4b 100644 --- a/core/tee/tee_rpmb_fs.c +++ b/core/tee/tee_rpmb_fs.c @@ -1650,7 +1650,8 @@ static TEE_Result __maybe_unused fat_entry_dir_update sizeof(struct rpmb_fat_entry); /* Only need to write if index points to an entry in cache. */ - if (fat_entry_buf_idx < max_cache_entries) { + if (fat_entry_buf_idx < fat_entry_dir->num_buffered && + fat_entry_buf_idx < max_cache_entries) { memcpy(fat_entry_dir->rpmb_fat_entry_buf + fat_entry_buf_idx, fat_entry, sizeof(struct rpmb_fat_entry)); } -- cgit v1.2.3