Fix fenrir wolfTPM findings (3)

src/tpm2.c

@@ -5866,7 +5866,8 @@ int TPM2_GetNonceNoLock(byte* nonceBuf, int nonceSz)
         }
 
         TPM2_Packet_ParseU16(&packet, &outSz);
-        if (outSz > MAX_RNG_REQ_SIZE) {
+        if (outSz == 0 || outSz > MAX_RNG_REQ_SIZE ||
+            randSz > nonceSz || outSz > (nonceSz - randSz)) {
         #ifdef DEBUG_WOLFTPM
             printf("TPM2_GetNonce out size error\n");
         #endif

src/tpm2_swtpm.c

@@ -260,7 +260,7 @@ static TPM_RC SwTpmDisconnect(TPM2_CTX* ctx)
  */
 int TPM2_SWTPM_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)
 {
-    int rc = TPM_RC_FAILURE;
+    int rc = TPM_RC_SUCCESS;
     int rspSz = 0;
     uint32_t tss_word;
 

src/tpm2_wrap.c

@@ -540,6 +540,14 @@ int wolfTPM2_SetKeyBlobFromBuffer(WOLFTPM2_KEYBLOB* key, byte *buffer,
     runner += sizeof(key->pub.size);
     done_reading += sizeof(key->pub.size);
 
+    if (key->pub.size > sizeof(pubAreaBuffer) - sizeof(UINT16)) {
+#ifdef DEBUG_WOLFTPM
+        printf("Public key size too large (%d > %d)\n",
+            key->pub.size, (int)(sizeof(pubAreaBuffer) - sizeof(UINT16)));
+#endif
+        return BUFFER_E;
+    }
+
     if (bufferSz < done_reading + sizeof(UINT16) + key->pub.size) {
 #ifdef DEBUG_WOLFTPM
         printf("Buffer size check failed (%d)\n", bufferSz);
@@ -569,6 +577,14 @@ int wolfTPM2_SetKeyBlobFromBuffer(WOLFTPM2_KEYBLOB* key, byte *buffer,
     runner += sizeof(key->priv.size);
     done_reading += sizeof(key->priv.size);
 
+    if (key->priv.size > sizeof(key->priv.buffer)) {
+#ifdef DEBUG_WOLFTPM
+        printf("Private key size too large (%d > %d)\n",
+            key->priv.size, (int)sizeof(key->priv.buffer));
+#endif
+        return BUFFER_E;
+    }
+
     if (bufferSz < done_reading + key->priv.size) {
 #ifdef DEBUG_WOLFTPM
         printf("Buffer size check failed (%d)\n", bufferSz);
@@ -1032,7 +1048,7 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
 {
     const TPM2B_AUTH* auth = NULL;
     const TPM2B_NAME* name = NULL;
-    if (dev == NULL || index >= MAX_SESSION_NUM) {
+    if (dev == NULL || index < 0 || index >= MAX_SESSION_NUM) {
         return BAD_FUNC_ARG;
     }
 
@@ -1063,8 +1079,11 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
             session->auth.size = authDigestSz + handle->auth.size;
             XMEMCPY(&session->auth.buffer[authDigestSz], handle->auth.buffer,
                 handle->auth.size);
+            if (handle->name.size > sizeof(session->name.name)) {
+                return BUFFER_E;
+            }
             session->name.size = handle->name.size;
-            XMEMCPY(session->name.name, handle->name.name, handle->name.size);
+            XMEMCPY(session->name.name, handle->name.name, session->name.size);
             return TPM_RC_SUCCESS;
         }
         auth = &handle->auth;
@@ -1079,7 +1098,7 @@ int wolfTPM2_SetAuthHandleName(WOLFTPM2_DEV* dev, int index,
     const TPM2B_NAME* name = NULL;
     TPM2_AUTH_SESSION* session;
 
-    if (dev == NULL || handle == NULL || index >= MAX_SESSION_NUM) {
+    if (dev == NULL || handle == NULL || index < 0 || index >= MAX_SESSION_NUM) {
         return BAD_FUNC_ARG;
     }
 
@@ -1136,7 +1155,7 @@ int wolfTPM2_SetAuthSession(WOLFTPM2_DEV* dev, int index,
 {
     int rc;
 
-    if (dev == NULL || index >= MAX_SESSION_NUM) {
+    if (dev == NULL || index < 0 || index >= MAX_SESSION_NUM) {
         return BAD_FUNC_ARG;
     }
 
@@ -2939,6 +2958,9 @@ int wolfTPM2_ImportEccPrivateKeySeed(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* pare
     if (rc == 0) {
         rc = wolfTPM2_ImportPrivateKey(dev, parentKey, keyBlob, &pub, &sens);
     }
+
+    TPM2_ForceZero(&sens, sizeof(sens));
+
     return rc;
 }
 
@@ -3684,6 +3706,10 @@ int wolfTPM2_CreateRsaKeyBlob(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKey,
     /* not used */
     (void)p;
 
+    TPM2_ForceZero(d, sizeof(d));
+    TPM2_ForceZero(p, sizeof(p));
+    TPM2_ForceZero(q, sizeof(q));
+
     return rc;
 }
 
@@ -3728,6 +3754,10 @@ int wolfTPM2_RsaKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKe
 
         /* not used */
         (void)p;
+
+        TPM2_ForceZero(d, sizeof(d));
+        TPM2_ForceZero(p, sizeof(p));
+        TPM2_ForceZero(q, sizeof(q));
     }
     else {
         /* export the raw public RSA portion */
@@ -3911,6 +3941,8 @@ int wolfTPM2_CreateEccKeyBlob(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* parentKey,
             qx, qxSz, qy, qySz, d, dSz);
     }
 
+    TPM2_ForceZero(d, sizeof(d));
+
     return rc;
 }
 
@@ -3986,6 +4018,8 @@ int wolfTPM2_EccKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* parentKey,
             rc = wolfTPM2_LoadEccPrivateKey(dev, parentKey, tpmKey, curve_id,
                 qx, qxSz, qy, qySz, d, dSz);
         }
+
+        TPM2_ForceZero(d, sizeof(d));
     }
     else {
         /* export the raw public ECC portion */
@@ -5231,6 +5265,10 @@ int wolfTPM2_NVReadCert(WOLFTPM2_DEV* dev, TPM_HANDLE handle,
     WOLFTPM2_NV nv;
     TPMS_NV_PUBLIC nvPublic;
 
+    if (len == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
     XMEMSET(&nvPublic, 0, sizeof(nvPublic));
     XMEMSET(&nv, 0, sizeof(nv));
 
@@ -5530,7 +5568,7 @@ int wolfTPM2_GetRandom(WOLFTPM2_DEV* dev, byte* buf, word32 len)
         }
 
         sz = out.randomBytes.size; /* use actual returned size */
-        if (sz > MAX_RNG_REQ_SIZE) {
+        if (sz == 0 || sz > MAX_RNG_REQ_SIZE || sz > (len - pos)) {
         #ifdef DEBUG_WOLFTPM
             printf("wolfTPM2_GetRandom out size error\n");
         #endif
@@ -5857,6 +5895,8 @@ int wolfTPM2_LoadSymmetricKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key, int alg,
 
 exit:
 
+    TPM2_ForceZero(&loadExtIn.inPrivate, sizeof(loadExtIn.inPrivate));
+
     if (rc != TPM_RC_SUCCESS) {
     #ifdef DEBUG_WOLFTPM
         printf("TPM2_LoadExternal: failed %d: %s\n",
@@ -6097,6 +6137,8 @@ int wolfTPM2_LoadKeyedHashKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
         (word32)key->handle.hndl);
 #endif
 
+    TPM2_ForceZero(&createIn.inSensitive, sizeof(createIn.inSensitive));
+
     return rc;
 }