Merge pull request #12875 from OpenNuvoton/nuvoton_kvstore_devicekey_buffer_overrun

0xc0170 · web-flow · commit 96c0e9cd5c4f · 2020-05-12T14:13:40.000+02:00
KVStore: Fix buffer overrun when device key size doesn't match
diff --git a/features/device_key/TESTS/device_key/functionality/main.cpp b/features/device_key/TESTS/device_key/functionality/main.cpp
@@ -106,7 +106,7 @@ void generate_derived_key_consistency_16_byte_key_long_consistency_test(char *ke
         int ret = inner_store->reset();
         TEST_ASSERT_EQUAL_INT(DEVICEKEY_SUCCESS, ret);
 
-        ret = DeviceKey::get_instance().generate_root_of_trust();
+        ret = DeviceKey::get_instance().generate_root_of_trust(DEVICE_KEY_16BYTE);
         if (ret != DEVICEKEY_SUCCESS) {
             ret = inject_dummy_rot_key();
         }
@@ -170,7 +170,7 @@ void generate_derived_key_consistency_32_byte_key_long_consistency_test(char *ke
         int ret = inner_store->reset();
         TEST_ASSERT_EQUAL_INT(DEVICEKEY_SUCCESS, ret);
 
-        ret = DeviceKey::get_instance().generate_root_of_trust();
+        ret = DeviceKey::get_instance().generate_root_of_trust(DEVICE_KEY_32BYTE);
         if (ret != DEVICEKEY_SUCCESS) {
             ret = inject_dummy_rot_key();
         }
@@ -326,7 +326,7 @@ void generate_derived_key_consistency_16_byte_key_test()
     int ret = inner_store->reset();
     TEST_ASSERT_EQUAL_INT(DEVICEKEY_SUCCESS, ret);
 
-    ret = DeviceKey::get_instance().generate_root_of_trust();
+    ret = DeviceKey::get_instance().generate_root_of_trust(DEVICE_KEY_16BYTE);
     if (ret != DEVICEKEY_SUCCESS) {
         ret = inject_dummy_rot_key();
     }
@@ -366,7 +366,7 @@ void generate_derived_key_consistency_32_byte_key_test()
     int ret = inner_store->reset();
     TEST_ASSERT_EQUAL_INT(DEVICEKEY_SUCCESS, ret);
 
-    ret = DeviceKey::get_instance().generate_root_of_trust();
+    ret = DeviceKey::get_instance().generate_root_of_trust(DEVICE_KEY_32BYTE);
     if (ret != DEVICEKEY_SUCCESS) {
         ret = inject_dummy_rot_key();
     }
@@ -406,7 +406,7 @@ void generate_derived_key_key_type_16_test()
     int ret = inner_store->reset();
     TEST_ASSERT_EQUAL_INT(DEVICEKEY_SUCCESS, ret);
 
-    ret = DeviceKey::get_instance().generate_root_of_trust();
+    ret = DeviceKey::get_instance().generate_root_of_trust(DEVICE_KEY_16BYTE);
     if (ret != DEVICEKEY_SUCCESS) {
         ret = inject_dummy_rot_key();
     }
@@ -442,7 +442,7 @@ void generate_derived_key_key_type_32_test()
     int ret = inner_store->reset();
     TEST_ASSERT_EQUAL_INT(DEVICEKEY_SUCCESS, ret);
 
-    ret = DeviceKey::get_instance().generate_root_of_trust();
+    ret = DeviceKey::get_instance().generate_root_of_trust(DEVICE_KEY_32BYTE);
     if (ret != DEVICEKEY_SUCCESS) {
         ret = inject_dummy_rot_key();
     }
diff --git a/features/storage/kvstore/tdbstore/TDBStore.cpp b/features/storage/kvstore/tdbstore/TDBStore.cpp
@@ -1424,6 +1424,9 @@ int TDBStore::do_reserved_data_get(void *reserved_data, size_t reserved_data_buf
         if (crc == trailer.crc) {
             // Correct data, copy it and return to caller
             if (reserved_data) {
+                if (reserved_data_buf_size < trailer.data_size) {
+                    return MBED_ERROR_INVALID_SIZE;
+                }
                 memcpy(reserved_data, buf, trailer.data_size);
             }
             if (actual_data_size) {
