From 4ddc0690b27a5c5190d55d31cd96b930e89c8f8e Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Thu, 17 Oct 2024 14:00:14 -0300 Subject: [PATCH] Check bounds of tpm.EKs() slice before indexing (#47669) --- lib/tpm/tpm.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/tpm/tpm.go b/lib/tpm/tpm.go index b720df596a822..6175efdedb018 100644 --- a/lib/tpm/tpm.go +++ b/lib/tpm/tpm.go @@ -125,6 +125,11 @@ func QueryWithTPM( if err != nil { return nil, trace.Wrap(err, "querying EKs") } + // Be a good citizen and check the slice bounds. This is not expected to + // happen. + if len(eks) == 0 { + return nil, trace.BadParameter("no endorsement keys found in tpm") + } // The first EK returned by `go-attestation` will be an RSA based EK key or // EK cert. On Windows, ECC certs may also be returned following this. At