From 296ec7c9bba3ff83af473085dd654b88f5f3e6a6 Mon Sep 17 00:00:00 2001 From: xiphon Date: Fri, 25 Oct 2019 13:13:23 +0000 Subject: device: bounds checking in Ledger send_secret/receive_secret --- src/device/device_ledger.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/device/device_ledger.cpp b/src/device/device_ledger.cpp index b89fb0827..49f54e5a5 100644 --- a/src/device/device_ledger.cpp +++ b/src/device/device_ledger.cpp @@ -357,9 +357,11 @@ namespace hw { void device_ledger::send_secret(const unsigned char sec[32], int &offset) { MDEBUG("send_secret: " << this->tx_in_progress); + ASSERT_X(offset + 32 <= BUFFER_SEND_SIZE, "send_secret: out of bounds write (secret)"); memmove(this->buffer_send+offset, sec, 32); offset +=32; if (this->tx_in_progress) { + ASSERT_X(offset + 32 <= BUFFER_SEND_SIZE, "send_secret: out of bounds write (mac)"); this->hmac_map.find_mac((uint8_t*)sec, this->buffer_send+offset); offset += 32; } @@ -367,9 +369,11 @@ namespace hw { void device_ledger::receive_secret(unsigned char sec[32], int &offset) { MDEBUG("receive_secret: " << this->tx_in_progress); + ASSERT_X(offset + 32 <= BUFFER_RECV_SIZE, "receive_secret: out of bounds read (secret)"); memmove(sec, this->buffer_recv+offset, 32); offset += 32; if (this->tx_in_progress) { + ASSERT_X(offset + 32 <= BUFFER_RECV_SIZE, "receive_secret: out of bounds read (mac)"); this->hmac_map.add_mac((uint8_t*)sec, this->buffer_recv+offset); offset += 32; } -- cgit v1.2.3