diff options
author | Chad Brubaker <cbrubaker@google.com> | 2015-07-29 13:53:36 -0700 |
---|---|---|
committer | Chad Brubaker <cbrubaker@google.com> | 2015-07-29 13:53:36 -0700 |
commit | 803f37f5d1bf75cb6e0d007f7d473645efd19a1d (patch) | |
tree | 5066e8c3ec44112c678f3e27580107e15bf4dd30 | |
parent | 2de8b75821bd62c90dde78e2ca78bbddfaf7ab19 (diff) | |
download | android_system_security-803f37f5d1bf75cb6e0d007f7d473645efd19a1d.tar.gz android_system_security-803f37f5d1bf75cb6e0d007f7d473645efd19a1d.tar.bz2 android_system_security-803f37f5d1bf75cb6e0d007f7d473645efd19a1d.zip |
Fix unchecked length in Blob creation
Applications can specify arbitrary blobs using insert(), check their
length to prevent overflow issues.
Bug:22802399
Change-Id: I4097bd891c733914df70da5e2c58783081d913bf
-rw-r--r-- | keystore/keystore.cpp | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/keystore/keystore.cpp b/keystore/keystore.cpp index bf1dec6..8a43f02 100644 --- a/keystore/keystore.cpp +++ b/keystore/keystore.cpp @@ -505,9 +505,17 @@ static const uint8_t CURRENT_BLOB_VERSION = 2; class Blob { public: - Blob(const uint8_t* value, int32_t valueLength, const uint8_t* info, uint8_t infoLength, + Blob(const uint8_t* value, size_t valueLength, const uint8_t* info, uint8_t infoLength, BlobType type) { memset(&mBlob, 0, sizeof(mBlob)); + if (valueLength > sizeof(mBlob.value)) { + valueLength = sizeof(mBlob.value); + ALOGW("Provided blob length too large"); + } + if (infoLength + valueLength > sizeof(mBlob.value)) { + infoLength = sizeof(mBlob.value) - valueLength; + ALOGW("Provided info length too large"); + } mBlob.length = valueLength; memcpy(mBlob.value, value, valueLength); |