[Skiboot] [EXTERNAL] [PATCH] libstb: Fix memcpy overread in fakenv_readpublic() - is truncation correct?

[Reza Arbab]

On Wed, May 25, 2022 at 09:53:13PM +0000, Kenneth Goldman wrote:
>1. If the buffers are both fixed sizes, why the MIN function.  It will
>compile down to 34.

I can drop the MIN(). As you say, the source and destination have known 
sizes, so we can just use the right one.

>2. I wonder why 34, not 32.  If there a uint16_t size that's being
>copied but not checked?

I think the relevant structure is

   typedef struct {
       TPMI_ALG_HASH       hashAlg;        /* selector of the hash contained in the digest that implies the size of the digest */
       TPMU_HA             digest;         /* the digest data */
   } TPMT_HA;

So it's a 2-byte selector followed by (in this case) 32-byte sha256.  
That's why the destination is larger. It can accomodate any of the 
supported sizes.

-- 
Reza Arbab