diff options
| author | Chung-yih Wang <cywang@google.com> | 2009-07-23 07:23:24 +0800 |
|---|---|---|
| committer | Chung-yih Wang <cywang@google.com> | 2009-07-24 11:24:31 +0800 |
| commit | 11e9f3dd260935cac33a9a6fa45aafa9d87d495a (patch) | |
| tree | 79cbba6b7e1d5b9cbb435e246b05fa6a64c75429 /cmds/keystore/keymgmt.c | |
| parent | 174d638c96aef9eeaf0ee7ae334c8ff9a6b415bf (diff) | |
| download | frameworks_native-11e9f3dd260935cac33a9a6fa45aafa9d87d495a.zip frameworks_native-11e9f3dd260935cac33a9a6fa45aafa9d87d495a.tar.gz frameworks_native-11e9f3dd260935cac33a9a6fa45aafa9d87d495a.tar.bz2 | |
Add memcpy and strcpy boundary check.
Diffstat (limited to 'cmds/keystore/keymgmt.c')
| -rw-r--r-- | cmds/keystore/keymgmt.c | 32 |
1 files changed, 31 insertions, 1 deletions
diff --git a/cmds/keystore/keymgmt.c b/cmds/keystore/keymgmt.c index 66edd56..c45b53c 100644 --- a/cmds/keystore/keymgmt.c +++ b/cmds/keystore/keymgmt.c @@ -79,14 +79,26 @@ static int encrypt_n_save(AES_KEY *enc_key, DATA_BLOB *blob, { int size, fd, ret = -1; unsigned char enc_blob[MAX_BLOB_LEN]; - char tmpfile[KEYFILE_LEN]; + + if ((keyfile == NULL) || (strlen(keyfile) >= (KEYFILE_LEN - 4))) { + LOGE("keyfile name is too long or null"); + return -1; + } strcpy(tmpfile, keyfile); strcat(tmpfile, ".tmp"); // prepare the blob + if (IV_LEN > USER_KEY_LEN) { + LOGE("iv length is too long."); + return -1; + } memcpy(blob->iv, iv, IV_LEN); blob->blob_size = get_blob_size(blob); + if (blob->blob_size > MAX_BLOB_LEN) { + LOGE("blob data size is too large."); + return -1; + } memcpy(enc_blob, blob->blob, blob->blob_size); AES_cbc_encrypt((unsigned char *)enc_blob, (unsigned char *)blob->blob, blob->blob_size, enc_key, iv, AES_ENCRYPT); @@ -133,8 +145,13 @@ static int store_master_key(char *upasswd, unsigned char *master_key) DATA_BLOB blob; // prepare the blob + if (strlen(MASTER_KEY_TAG) >= USER_KEY_LEN) return -1; strlcpy(blob.keyname, MASTER_KEY_TAG, USER_KEY_LEN); blob.value_size = USER_KEY_LEN; + if (USER_KEY_LEN > MAX_KEY_VALUE_LENGTH) { + LOGE("master_key length is too long."); + return -1; + } memcpy((void*)blob.value, (const void*)master_key, USER_KEY_LEN); // generate the encryption key @@ -150,6 +167,10 @@ static int get_master_key(char *upasswd, unsigned char *master_key) get_decrypt_key(upasswd, &key); ret = load_n_decrypt(MASTER_KEY_TAG, MASTER_KEY, &key, &blob); + if (blob.value_size > USER_KEY_LEN) { + LOGE("the blob's value size is too large"); + return -1; + } if (!ret) memcpy(master_key, blob.value, blob.value_size); return ret; } @@ -224,8 +245,16 @@ int put_key(const char *namespace, const char *keyname, } sprintf(keyfile, KEYFILE_NAME, namespace, keyname); // flatten the args + if (strlen(keyname) >= MAX_KEY_NAME_LENGTH) { + LOGE("keyname is too long."); + return -1; + } strcpy(blob.keyname, keyname); blob.value_size = size; + if (size > MAX_KEY_VALUE_LENGTH) { + LOGE("the data size is too large."); + return -1; + } memcpy(blob.value, data, size); return encrypt_n_save(&encryptKey, &blob, keyfile); } @@ -246,6 +275,7 @@ int get_key(const char *namespace, const char *keyname, ret = load_n_decrypt(keyname, keyfile, &decryptKey, &blob); if (!ret) { if ((blob.value_size > MAX_KEY_VALUE_LENGTH)) { + LOGE("blob value size is too large."); ret = -1; } else { *size = blob.value_size; |