diff options
| author | Chung-yih Wang <cywang@google.com> | 2009-07-23 07:23:24 +0800 |
|---|---|---|
| committer | Chung-yih Wang <cywang@google.com> | 2009-07-24 11:24:31 +0800 |
| commit | 75b681639d3945d22d4ab90856a65a05405d2538 (patch) | |
| tree | 0e5851af709beea194622d9cca17684e67c5b6a4 /cmds/keystore | |
| parent | 0a4730f8889bd98e272bd5e7e0fedb6a69d33f54 (diff) | |
| download | frameworks_base-75b681639d3945d22d4ab90856a65a05405d2538.zip frameworks_base-75b681639d3945d22d4ab90856a65a05405d2538.tar.gz frameworks_base-75b681639d3945d22d4ab90856a65a05405d2538.tar.bz2 | |
Add memcpy and strcpy boundary check.
Diffstat (limited to 'cmds/keystore')
| -rw-r--r-- | cmds/keystore/keymgmt.c | 32 |
1 files changed, 31 insertions, 1 deletions
diff --git a/cmds/keystore/keymgmt.c b/cmds/keystore/keymgmt.c index 66edd56..c45b53c 100644 --- a/cmds/keystore/keymgmt.c +++ b/cmds/keystore/keymgmt.c @@ -79,14 +79,26 @@ static int encrypt_n_save(AES_KEY *enc_key, DATA_BLOB *blob, { int size, fd, ret = -1; unsigned char enc_blob[MAX_BLOB_LEN]; - char tmpfile[KEYFILE_LEN]; + + if ((keyfile == NULL) || (strlen(keyfile) >= (KEYFILE_LEN - 4))) { + LOGE("keyfile name is too long or null"); + return -1; + } strcpy(tmpfile, keyfile); strcat(tmpfile, ".tmp"); // prepare the blob + if (IV_LEN > USER_KEY_LEN) { + LOGE("iv length is too long."); + return -1; + } memcpy(blob->iv, iv, IV_LEN); blob->blob_size = get_blob_size(blob); + if (blob->blob_size > MAX_BLOB_LEN) { + LOGE("blob data size is too large."); + return -1; + } memcpy(enc_blob, blob->blob, blob->blob_size); AES_cbc_encrypt((unsigned char *)enc_blob, (unsigned char *)blob->blob, blob->blob_size, enc_key, iv, AES_ENCRYPT); @@ -133,8 +145,13 @@ static int store_master_key(char *upasswd, unsigned char *master_key) DATA_BLOB blob; // prepare the blob + if (strlen(MASTER_KEY_TAG) >= USER_KEY_LEN) return -1; strlcpy(blob.keyname, MASTER_KEY_TAG, USER_KEY_LEN); blob.value_size = USER_KEY_LEN; + if (USER_KEY_LEN > MAX_KEY_VALUE_LENGTH) { + LOGE("master_key length is too long."); + return -1; + } memcpy((void*)blob.value, (const void*)master_key, USER_KEY_LEN); // generate the encryption key @@ -150,6 +167,10 @@ static int get_master_key(char *upasswd, unsigned char *master_key) get_decrypt_key(upasswd, &key); ret = load_n_decrypt(MASTER_KEY_TAG, MASTER_KEY, &key, &blob); + if (blob.value_size > USER_KEY_LEN) { + LOGE("the blob's value size is too large"); + return -1; + } if (!ret) memcpy(master_key, blob.value, blob.value_size); return ret; } @@ -224,8 +245,16 @@ int put_key(const char *namespace, const char *keyname, } sprintf(keyfile, KEYFILE_NAME, namespace, keyname); // flatten the args + if (strlen(keyname) >= MAX_KEY_NAME_LENGTH) { + LOGE("keyname is too long."); + return -1; + } strcpy(blob.keyname, keyname); blob.value_size = size; + if (size > MAX_KEY_VALUE_LENGTH) { + LOGE("the data size is too large."); + return -1; + } memcpy(blob.value, data, size); return encrypt_n_save(&encryptKey, &blob, keyfile); } @@ -246,6 +275,7 @@ int get_key(const char *namespace, const char *keyname, ret = load_n_decrypt(keyname, keyfile, &decryptKey, &blob); if (!ret) { if ((blob.value_size > MAX_KEY_VALUE_LENGTH)) { + LOGE("blob value size is too large."); ret = -1; } else { *size = blob.value_size; |