Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9b29df2b authored by Chung-yih Wang's avatar Chung-yih Wang Committed by Android Git Automerger
Browse files

am 75b68163: Add memcpy and strcpy boundary check. 

Merge commit '75b681639d3945d22d4ab90856a65a05405d2538'

* commit '75b681639d3945d22d4ab90856a65a05405d2538':
  Add memcpy and strcpy boundary check.
parents 85fda3c8 11e9f3dd

cmds/keystore/keymgmt.c

+31 −1
Original line number Diff line number Diff line
@@ -79,14 +79,26 @@ static int encrypt_n_save(AES_KEY *enc_key, DATA_BLOB *blob, 
{

    int size, fd, ret = -1;

    unsigned char enc_blob[MAX_BLOB_LEN];



    char tmpfile[KEYFILE_LEN];



    if ((keyfile == NULL) || (strlen(keyfile) >= (KEYFILE_LEN - 4))) {

        LOGE("keyfile name is too long or null");

        return -1;

    }

    strcpy(tmpfile, keyfile);

    strcat(tmpfile, ".tmp");



    // prepare the blob

    if (IV_LEN > USER_KEY_LEN) {

        LOGE("iv length is too long.");

        return -1;

    }

    memcpy(blob->iv, iv, IV_LEN);

    blob->blob_size = get_blob_size(blob);

    if (blob->blob_size > MAX_BLOB_LEN) {

        LOGE("blob data size is too large.");

        return -1;

    }

    memcpy(enc_blob, blob->blob, blob->blob_size);

    AES_cbc_encrypt((unsigned char *)enc_blob, (unsigned char *)blob->blob,

                    blob->blob_size, enc_key, iv, AES_ENCRYPT);
@@ -133,8 +145,13 @@ static int store_master_key(char *upasswd, unsigned char *master_key) 
    DATA_BLOB blob;



    // prepare the blob

    if (strlen(MASTER_KEY_TAG) >= USER_KEY_LEN) return -1;

    strlcpy(blob.keyname, MASTER_KEY_TAG, USER_KEY_LEN);

    blob.value_size = USER_KEY_LEN;

    if (USER_KEY_LEN > MAX_KEY_VALUE_LENGTH) {

        LOGE("master_key length is too long.");

        return -1;

    }

    memcpy((void*)blob.value, (const void*)master_key, USER_KEY_LEN);



    // generate the encryption key
@@ -150,6 +167,10 @@ static int get_master_key(char *upasswd, unsigned char *master_key) 


    get_decrypt_key(upasswd, &key);

    ret = load_n_decrypt(MASTER_KEY_TAG, MASTER_KEY, &key, &blob);

    if (blob.value_size > USER_KEY_LEN) {

        LOGE("the blob's value size is too large");

        return -1;

    }

    if (!ret) memcpy(master_key, blob.value, blob.value_size);

    return ret;

}
@@ -224,8 +245,16 @@ int put_key(const char *namespace, const char *keyname, 
    }

    sprintf(keyfile, KEYFILE_NAME, namespace, keyname);

    // flatten the args

    if (strlen(keyname) >= MAX_KEY_NAME_LENGTH) {

        LOGE("keyname is too long.");

        return -1;

    }

    strcpy(blob.keyname, keyname);

    blob.value_size = size;

    if (size > MAX_KEY_VALUE_LENGTH) {

        LOGE("the data size is too large.");

        return -1;

    }

    memcpy(blob.value, data, size);

    return encrypt_n_save(&encryptKey, &blob, keyfile);

}
@@ -246,6 +275,7 @@ int get_key(const char *namespace, const char *keyname, 
    ret = load_n_decrypt(keyname, keyfile, &decryptKey, &blob);

    if (!ret) {

        if ((blob.value_size > MAX_KEY_VALUE_LENGTH)) {

            LOGE("blob value size is too large.");

            ret = -1;

        } else {

            *size = blob.value_size;