Conversion from tss-esapi native buffer type into the corresponding tss-esapi-sys TSS type can panic #548
Description
Hello,
I identified native buffer types whose MAX_SIZE is larger than the buffer size of corresponding TSS types (TPM2B). This is an issue because the infallible conversion From<$native_type> for $tss_type is implemented. When the native buffer is too big, the conversion method panics.
Affected buffer types are :
- IdObject / TPM2B_ID_OBJECT
- SensitiveData / TPM2B_SENSITIVE_DATA
Example of code that triggers the issue :
#!/usr/bin/env cargo-eval
//! ```cargo
//! [dependencies]
//! tss-esapi = { version = "7.5.1" }
//! ```
use tss_esapi::structures::IdObject;
use tss_esapi::tss2_esys::TPM2B_ID_OBJECT;
use std::hint::black_box;
fn main() {
// IdObject::MAX_SIZE: usize = 256usize
let id_object = IdObject::try_from(vec![0u8; IdObject::MAX_SIZE]).expect("this works");
//
// #[repr(C)]
// pub struct TPM2B_ID_OBJECT {
// pub size: UINT16,
// pub credential: [BYTE; 132],
// }
//
// The following conversion causes
// thread 'main' panicked at /home/vscode/.cargo/registry/src/github.com-1ecc6299db9ec823/tss-esapi-7.5.1/src/structures/buffers.rs:185:5:
// range end index 256 out of range for slice of length 132
let buffer_id_object: TPM2B_ID_OBJECT = id_object.into();
black_box(buffer_id_object);
}Security concerns
An unexpected panic can cause a program to abort unexpectedly, potentially leading to a denial of service (DoS) vulnerability. However in this context, it is unlikely that the affected buffers are untrusted, so I don't think there is much of a security concern.