arno/trezor-firmware
1
0
Fork 0
mirror of https://github.com/trezor/trezor-firmware.git synced 2025-02-17 01:52:02 +00:00
Code Issues Releases Wiki Activity

Clean-up. Better checks for buffer overflow.

Browse Source
This commit is contained in:
Jochen Hoenicke 2016-04-27 13:37:45 +02:00
parent 5c13e78deb
commit 2abe5d477e
1 changed files with 18 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
firmware/u2f.c
View File

@ -168,26 +168,34 @@ void u2fhid_read(const U2FHID_FRAME *f)
cmd = f->type; cmd = f->type;
memcpy(buf_ptr, f->init.data, sizeof(f->init.data)); memcpy(buf_ptr, f->init.data, sizeof(f->init.data));
buf_ptr += sizeof(f->init.data); buf_ptr += sizeof(f->init.data);
// Broadcast is reserved for init
if (cid == CID_BROADCAST && cmd != U2FHID_INIT)
return;
// Check length isnt bigger than spec max
if (len > sizeof(buf)) {
len = 0;
return send_u2fhid_error(ERR_INVALID_LEN);
}
} }
else { else {
// Broadcast is reserved for init
if (cid == CID_BROADCAST)
return;
// check out of bounds
if ((buf_ptr - buf) >= (signed) len
|| (buf_ptr + sizeof(f->cont.data) - buf) > (signed) sizeof(buf))
return;
if (f->cont.seq == seq) { if (f->cont.seq == seq) {
seq++; seq++;
memcpy(buf_ptr, f->cont.data, sizeof(f->cont.data)); memcpy(buf_ptr, f->cont.data, sizeof(f->cont.data));
buf_ptr += sizeof(f->cont.data); buf_ptr += sizeof(f->cont.data);
} } else {
else {
return send_u2fhid_error(ERR_INVALID_SEQ); return send_u2fhid_error(ERR_INVALID_SEQ);
} }
} }
// Broadcast is reserved for init
if (cid == CID_BROADCAST && cmd != U2FHID_INIT)
return;
// Check length isnt bigger than spec max
if (len > sizeof(buf))
return send_u2fhid_error(ERR_INVALID_LEN);
// Do we need to wait for more data // Do we need to wait for more data
if ((buf_ptr - buf) < (signed)len) { if ((buf_ptr - buf) < (signed)len) {
// debugLog(0, "", "u2fhid_read wait"); // debugLog(0, "", "u2fhid_read wait");
@ -202,18 +210,12 @@ void u2fhid_read(const U2FHID_FRAME *f)
case U2FHID_MSG: case U2FHID_MSG:
u2fhid_msg((APDU *)buf, len); u2fhid_msg((APDU *)buf, len);
break; break;
case U2FHID_LOCK:
u2fhid_lock(buf, len);
break;
case U2FHID_INIT: case U2FHID_INIT:
u2fhid_init((const U2FHID_INIT_REQ *)buf); u2fhid_init((const U2FHID_INIT_REQ *)buf);
break; break;
case U2FHID_WINK: case U2FHID_WINK:
u2fhid_wink(buf, len); u2fhid_wink(buf, len);
break; break;
// case U2FHID_SYNC:
// u2fhid_sync(buf, len);
break;
default: default:
send_u2fhid_error(ERR_INVALID_CMD); send_u2fhid_error(ERR_INVALID_CMD);
break; break;
@ -245,26 +247,6 @@ void u2fhid_wink(const uint8_t *buf, uint32_t len)
queue_u2f_pkt(&f); queue_u2f_pkt(&f);
} }
void u2fhid_sync(const uint8_t *buf, uint32_t len)
{
debugLog(0, "", "u2fhid_sync");
(void)buf;
if (len > 0)
return send_u2fhid_error(ERR_INVALID_LEN);
// Abort things.
dialog_timeout = 0;
}
void u2fhid_lock(const uint8_t *buf, uint32_t len)
{
debugLog(0, "", "u2fhid_lock");
(void)buf;
(void)len;
send_u2fhid_error(ERR_INVALID_CMD);
}
void u2fhid_init(const U2FHID_INIT_REQ *init_req) void u2fhid_init(const U2FHID_INIT_REQ *init_req)
{ {
debugLog(0, "", "u2fhid_init"); debugLog(0, "", "u2fhid_init");