Merge pull request #325 from jmartins-ledger/bug-fixes

Bug fixes

.github/workflows/ci-workflow.yml

@@ -114,7 +114,9 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Build testing binaries
-        run: cd tests && ./build_local_test_elfs.sh
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          cd tests && ./build_local_test_elfs.sh
 
       - name: Upload app binaries
         uses: actions/upload-artifact@v2

src/apdu_constants.h

@@ -60,64 +60,64 @@
 
 void handleGetPublicKey(uint8_t p1,
                         uint8_t p2,
-                        uint8_t *dataBuffer,
+                        const uint8_t *dataBuffer,
                         uint16_t dataLength,
                         unsigned int *flags,
                         unsigned int *tx);
 void handleProvideErc20TokenInformation(uint8_t p1,
                                         uint8_t p2,
-                                        uint8_t *dataBuffer,
+                                        const uint8_t *dataBuffer,
                                         uint16_t dataLength,
                                         unsigned int *flags,
                                         unsigned int *tx);
 void handleProvideNFTInformation(uint8_t p1,
                                  uint8_t p2,
-                                 uint8_t *dataBuffer,
+                                 const uint8_t *dataBuffer,
                                  uint16_t dataLength,
                                  unsigned int *flags,
                                  unsigned int *tx);
 void handleSign(uint8_t p1,
                 uint8_t p2,
-                uint8_t *dataBuffer,
+                const uint8_t *dataBuffer,
                 uint16_t dataLength,
                 unsigned int *flags,
                 unsigned int *tx);
 void handleGetAppConfiguration(uint8_t p1,
                                uint8_t p2,
-                               uint8_t *dataBuffer,
+                               const uint8_t *dataBuffer,
                                uint16_t dataLength,
                                unsigned int *flags,
                                unsigned int *tx);
 void handleSignPersonalMessage(uint8_t p1,
                                uint8_t p2,
-                               uint8_t *dataBuffer,
+                               const uint8_t *dataBuffer,
                                uint16_t dataLength,
                                unsigned int *flags,
                                unsigned int *tx);
 void handleSignEIP712Message(uint8_t p1,
                              uint8_t p2,
-                             uint8_t *dataBuffer,
+                             const uint8_t *dataBuffer,
                              uint16_t dataLength,
                              unsigned int *flags,
                              unsigned int *tx);
 
 void handleSetExternalPlugin(uint8_t p1,
                              uint8_t p2,
-                             uint8_t *workBuffer,
+                             const uint8_t *workBuffer,
                              uint16_t dataLength,
                              unsigned int *flags,
                              unsigned int *tx);
 
 void handleSetPlugin(uint8_t p1,
                      uint8_t p2,
-                     uint8_t *workBuffer,
+                     const uint8_t *workBuffer,
                      uint16_t dataLength,
                      unsigned int *flags,
                      unsigned int *tx);
 
 void handlePerformPrivacyOperation(uint8_t p1,
                                    uint8_t p2,
-                                   uint8_t *workBuffer,
+                                   const uint8_t *workBuffer,
                                    uint16_t dataLength,
                                    unsigned int *flags,
                                    unsigned int *tx);
@@ -126,7 +126,7 @@ void handlePerformPrivacyOperation(uint8_t p1,
 
 void handleGetEth2PublicKey(uint8_t p1,
                             uint8_t p2,
-                            uint8_t *dataBuffer,
+                            const uint8_t *dataBuffer,
                             uint16_t dataLength,
                             unsigned int *flags,
                             unsigned int *tx);
@@ -143,7 +143,7 @@ void handleSetEth2WinthdrawalIndex(uint8_t p1,
 
 void handleStarkwareGetPublicKey(uint8_t p1,
                                  uint8_t p2,
-                                 uint8_t *dataBuffer,
+                                 const uint8_t *dataBuffer,
                                  uint16_t dataLength,
                                  unsigned int *flags,
                                  unsigned int *tx);
@@ -155,13 +155,13 @@ void handleStarkwareSignMessage(uint8_t p1,
                                 unsigned int *tx);
 void handleStarkwareProvideQuantum(uint8_t p1,
                                    uint8_t p2,
-                                   uint8_t *dataBuffer,
+                                   const uint8_t *dataBuffer,
                                    uint16_t dataLength,
                                    unsigned int *flags,
                                    unsigned int *tx);
 void handleStarkwareUnsafeSign(uint8_t p1,
                                uint8_t p2,
-                               uint8_t *dataBuffer,
+                               const uint8_t *dataBuffer,
                                uint16_t dataLength,
                                unsigned int *flags,
                                unsigned int *tx);

src/eth_plugin_handler.c

@@ -5,7 +5,9 @@
 #include "network.h"
 #include "ethUtils.h"
 
-void eth_plugin_prepare_init(ethPluginInitContract_t *init, uint8_t *selector, uint32_t dataSize) {
+void eth_plugin_prepare_init(ethPluginInitContract_t *init,
+                             const uint8_t *selector,
+                             uint32_t dataSize) {
     memset((uint8_t *) init, 0, sizeof(ethPluginInitContract_t));
     init->selector = selector;
     init->dataSize = dataSize;

src/eth_plugin_handler.h

@@ -6,7 +6,9 @@
 #define NO_EXTRA_INFO(ctx, idx) \
     (allzeroes(&(ctx.transactionContext.extraInfo[idx]), sizeof(extraInfo_t)))
 
-void eth_plugin_prepare_init(ethPluginInitContract_t *init, uint8_t *selector, uint32_t dataSize);
+void eth_plugin_prepare_init(ethPluginInitContract_t *init,
+                             const uint8_t *selector,
+                             uint32_t dataSize);
 void eth_plugin_prepare_provide_parameter(ethPluginProvideParameter_t *provideParameter,
                                           uint8_t *parameter,
                                           uint32_t parameterOffset);

src/main.c

@@ -480,6 +480,36 @@ void handleGetWalletId(volatile unsigned int *tx) {
 
 #endif  // HAVE_WALLET_ID_SDK
 
+const uint8_t *parseBip32(const uint8_t *dataBuffer, uint16_t *dataLength, bip32_path_t *bip32) {
+    if (*dataLength < 1) {
+        PRINTF("Invalid data\n");
+        return NULL;
+    }
+
+    bip32->length = *dataBuffer;
+
+    if (bip32->length < 0x1 || bip32->length > MAX_BIP32_PATH) {
+        PRINTF("Invalid bip32\n");
+        return NULL;
+    }
+
+    dataBuffer++;
+    (*dataLength)--;
+
+    if (*dataLength < sizeof(uint32_t) * (bip32->length)) {
+        PRINTF("Invalid data\n");
+        return NULL;
+    }
+
+    for (uint8_t i = 0; i < bip32->length; i++) {
+        bip32->path[i] = U4BE(dataBuffer, 0);
+        dataBuffer += sizeof(uint32_t);
+        *dataLength -= sizeof(uint32_t);
+    }
+
+    return dataBuffer;
+}
+
 void handleApdu(unsigned int *flags, unsigned int *tx) {
     unsigned short sw = 0;
 

src/shared_context.h

@@ -18,6 +18,11 @@
 
 #define N_storage (*(volatile internalStorage_t *) PIC(&N_storage_real))
 
+typedef struct bip32_path_t {
+    uint8_t length;
+    uint32_t path[MAX_BIP32_PATH];
+} bip32_path_t;
+
 typedef struct internalStorage_t {
     unsigned char dataAllowed;
     unsigned char contractDetails;
@@ -82,8 +87,7 @@ typedef union extraInfo_t {
 } extraInfo_t;
 
 typedef struct transactionContext_t {
-    uint8_t pathLength;
-    uint32_t bip32Path[MAX_BIP32_PATH];
+    bip32_path_t bip32;
     uint8_t hash[INT256_LENGTH];
     union extraInfo_t extraInfo[MAX_ITEMS];
     uint8_t tokenSet[MAX_ITEMS];
@@ -91,15 +95,13 @@ typedef struct transactionContext_t {
 } transactionContext_t;
 
 typedef struct messageSigningContext_t {
-    uint8_t pathLength;
-    uint32_t bip32Path[MAX_BIP32_PATH];
+    bip32_path_t bip32;
     uint8_t hash[INT256_LENGTH];
     uint32_t remainingLength;
 } messageSigningContext_t;
 
 typedef struct messageSigningContext712_t {
-    uint8_t pathLength;
-    uint32_t bip32Path[MAX_BIP32_PATH];
+    bip32_path_t bip32;
     uint8_t domainHash[32];
     uint8_t messageHash[32];
 } messageSigningContext712_t;
@@ -217,5 +219,6 @@ extern uint32_t eth2WithdrawalIndex;
 #endif
 
 void reset_app_context(void);
+const uint8_t *parseBip32(const uint8_t *, uint16_t *, bip32_path_t *);
 
 #endif  // _SHARED_CONTEXT_H_

src/utils.c

@@ -54,7 +54,7 @@ int local_strchr(char *string, char ch) {
     return -1;
 }
 
-uint64_t u64_from_BE(uint8_t *in, uint8_t size) {
+uint64_t u64_from_BE(const uint8_t *in, uint8_t size) {
     uint8_t i = 0;
     uint64_t res = 0;
 

src/utils.h

@@ -28,7 +28,7 @@ void convertUint256BE(uint8_t* data, uint32_t length, uint256_t* target);
 
 int local_strchr(char* string, char ch);
 
-uint64_t u64_from_BE(uint8_t* in, uint8_t size);
+uint64_t u64_from_BE(const uint8_t* in, uint8_t size);
 
 bool uint256_to_decimal(const uint8_t* value, size_t value_len, char* out, size_t out_len);
 

src_common/ethUstream.c

@@ -296,6 +296,12 @@ static void processV(txContext_t *context) {
         PRINTF("Invalid type for RLP_V\n");
         THROW(EXCEPTION);
     }
+
+    if (context->currentFieldLength > sizeof(context->content->v)) {
+        PRINTF("Invalid length for RLP_V\n");
+        THROW(EXCEPTION);
+    }
+
     if (context->currentFieldPos < context->currentFieldLength) {
         uint32_t copySize =
             MIN(context->commandLength, context->currentFieldLength - context->currentFieldPos);
@@ -586,7 +592,7 @@ static parserStatus_e processTxInternal(txContext_t *context) {
 }
 
 parserStatus_e processTx(txContext_t *context,
-                         uint8_t *buffer,
+                         const uint8_t *buffer,
                          uint32_t length,
                          uint32_t processingFlags) {
     parserStatus_e result;

src_common/ethUstream.h

@@ -142,7 +142,7 @@ typedef struct txContext_t {
     uint32_t dataLength;
     uint8_t rlpBuffer[5];
     uint32_t rlpBufferPos;
-    uint8_t *workBuffer;
+    const uint8_t *workBuffer;
     uint32_t commandLength;
     uint32_t processingFlags;
     ustreamProcess_t customProcessor;
@@ -157,7 +157,7 @@ void initTx(txContext_t *context,
             ustreamProcess_t customProcessor,
             void *extra);
 parserStatus_e processTx(txContext_t *context,
-                         uint8_t *buffer,
+                         const uint8_t *buffer,
                          uint32_t length,
                          uint32_t processingFlags);
 parserStatus_e continueTx(txContext_t *context);

src_common/uint256.c

@@ -476,6 +476,11 @@ bool tostring256(uint256_t *number, uint32_t baseParam, char *out, uint32_t outL
         divmod256(&rDiv, &base, &rDiv, &rMod);
         out[offset++] = HEXDIGITS[(uint8_t) LOWER(LOWER(rMod))];
     } while (!zero256(&rDiv));
+
+    if (offset > (outLength - 1)) {
+        return false;
+    }
+
     out[offset] = '\0';
     reverseString(out, offset);
     return true;

src_features/getAppConfiguration/cmd_getAppConfiguration.c

@@ -5,7 +5,7 @@
 
 void handleGetAppConfiguration(uint8_t p1,
                                uint8_t p2,
-                               uint8_t *workBuffer,
+                               const uint8_t *workBuffer,
                                uint16_t dataLength,
                                unsigned int *flags,
                                unsigned int *tx) {

src_features/getEth2PublicKey/cmd_getEth2PublicKey.c

@@ -42,33 +42,29 @@ void getEth2PublicKey(uint32_t *bip32Path, uint8_t bip32PathLength, uint8_t *out
 
 void handleGetEth2PublicKey(uint8_t p1,
                             uint8_t p2,
-                            uint8_t *dataBuffer,
+                            const uint8_t *dataBuffer,
                             uint16_t dataLength,
                             unsigned int *flags,
                             unsigned int *tx) {
-    UNUSED(dataLength);
-    uint32_t bip32Path[MAX_BIP32_PATH];
-    uint32_t i;
-    uint8_t bip32PathLength = *(dataBuffer++);
+    bip32_path_t bip32;
 
     if (!called_from_swap) {
         reset_app_context();
     }
-    if ((bip32PathLength < 0x01) || (bip32PathLength > MAX_BIP32_PATH)) {
-        PRINTF("Invalid path\n");
-        THROW(0x6a80);
-    }
     if ((p1 != P1_CONFIRM) && (p1 != P1_NON_CONFIRM)) {
         THROW(0x6B00);
     }
     if (p2 != 0) {
         THROW(0x6B00);
     }
-    for (i = 0; i < bip32PathLength; i++) {
-        bip32Path[i] = U4BE(dataBuffer, 0);
-        dataBuffer += 4;
+
+    dataBuffer = parseBip32(dataBuffer, &dataLength, &bip32);
+
+    if (dataBuffer == NULL) {
+        THROW(0x6a80);
     }
-    getEth2PublicKey(bip32Path, bip32PathLength, tmpCtx.publicKeyContext.publicKey.W);
+
+    getEth2PublicKey(bip32.path, bip32.length, tmpCtx.publicKeyContext.publicKey.W);
 
 #ifndef NO_CONSENT
     if (p1 == P1_NON_CONFIRM)

src_features/getPublicKey/cmd_getPublicKey.c

@@ -7,39 +7,37 @@
 
 void handleGetPublicKey(uint8_t p1,
                         uint8_t p2,
-                        uint8_t *dataBuffer,
+                        const uint8_t *dataBuffer,
                         uint16_t dataLength,
                         unsigned int *flags,
                         unsigned int *tx) {
-    UNUSED(dataLength);
     uint8_t privateKeyData[INT256_LENGTH];
-    uint32_t bip32Path[MAX_BIP32_PATH];
-    uint32_t i;
-    uint8_t bip32PathLength = *(dataBuffer++);
+    bip32_path_t bip32;
     cx_ecfp_private_key_t privateKey;
+
     if (!called_from_swap) {
         reset_app_context();
     }
-    if ((bip32PathLength < 0x01) || (bip32PathLength > MAX_BIP32_PATH)) {
-        PRINTF("Invalid path\n");
-        THROW(0x6a80);
-    }
+
     if ((p1 != P1_CONFIRM) && (p1 != P1_NON_CONFIRM)) {
         THROW(0x6B00);
     }
     if ((p2 != P2_CHAINCODE) && (p2 != P2_NO_CHAINCODE)) {
         THROW(0x6B00);
     }
-    for (i = 0; i < bip32PathLength; i++) {
-        bip32Path[i] = U4BE(dataBuffer, 0);
-        dataBuffer += 4;
+
+    dataBuffer = parseBip32(dataBuffer, &dataLength, &bip32);
+
+    if (dataBuffer == NULL) {
+        THROW(0x6a80);
     }
+
     tmpCtx.publicKeyContext.getChaincode = (p2 == P2_CHAINCODE);
     io_seproxyhal_io_heartbeat();
     os_perso_derive_node_bip32(
         CX_CURVE_256K1,
-        bip32Path,
-        bip32PathLength,
+        bip32.path,
+        bip32.length,
         privateKeyData,
         (tmpCtx.publicKeyContext.getChaincode ? tmpCtx.publicKeyContext.chainCode : NULL));
     cx_ecfp_init_private_key(CX_CURVE_256K1, privateKeyData, 32, &privateKey);

src_features/performPrivacyOperation/cmd_performPrivacyOperation.c

@@ -25,43 +25,39 @@ void decodeScalar(const uint8_t *scalarIn, uint8_t *scalarOut) {
 
 void handlePerformPrivacyOperation(uint8_t p1,
                                    uint8_t p2,
-                                   uint8_t *dataBuffer,
+                                   const uint8_t *dataBuffer,
                                    uint16_t dataLength,
                                    unsigned int *flags,
                                    unsigned int *tx) {
-    UNUSED(dataLength);
     uint8_t privateKeyData[INT256_LENGTH];
     uint8_t privateKeyDataSwapped[INT256_LENGTH];
-    uint32_t bip32Path[MAX_BIP32_PATH];
-    uint8_t bip32PathLength = *(dataBuffer++);
+    bip32_path_t bip32;
     cx_err_t status = CX_OK;
-    if (p2 == P2_PUBLIC_ENCRYPTION_KEY) {
-        if (dataLength < 1 + 4 * bip32PathLength) {
-            THROW(0x6700);
-        }
-    } else if (p2 == P2_SHARED_SECRET) {
-        if (dataLength < 1 + 4 * bip32PathLength + 32) {
-            THROW(0x6700);
-        }
-    } else {
-        THROW(0x6B00);
-    }
-    cx_ecfp_private_key_t privateKey;
-    if ((bip32PathLength < 0x01) || (bip32PathLength > MAX_BIP32_PATH)) {
-        PRINTF("Invalid path\n");
-        THROW(0x6a80);
-    }
+
     if ((p1 != P1_CONFIRM) && (p1 != P1_NON_CONFIRM)) {
         THROW(0x6B00);
     }
-    for (uint8_t i = 0; i < bip32PathLength; i++) {
-        bip32Path[i] = U4BE(dataBuffer, 0);
-        dataBuffer += 4;
+
+    if ((p2 != P2_PUBLIC_ENCRYPTION_KEY) && (p2 != P2_SHARED_SECRET)) {
+        THROW(0x6700);
     }
+
+    dataBuffer = parseBip32(dataBuffer, &dataLength, &bip32);
+
+    if (dataBuffer == NULL) {
+        THROW(0x6a80);
+    }
+
+    if ((p2 == P2_SHARED_SECRET) && (dataLength < 32)) {
+        THROW(0x6700);
+    }
+
+    cx_ecfp_private_key_t privateKey;
+
     os_perso_derive_node_bip32(
         CX_CURVE_256K1,
-        bip32Path,
-        bip32PathLength,
+        bip32.path,
+        bip32.length,
         privateKeyData,
         (tmpCtx.publicKeyContext.getChaincode ? tmpCtx.publicKeyContext.chainCode : NULL));
     cx_ecfp_init_private_key(CX_CURVE_256K1, privateKeyData, 32, &privateKey);

src_features/provideErc20TokenInformation/cmd_provideTokenInfo.c

@@ -101,7 +101,7 @@ void handleProvideErc20TokenInformation(uint8_t p1,
 
 void handleProvideErc20TokenInformation(uint8_t p1,
                                         uint8_t p2,
-                                        uint8_t *workBuffer,
+                                        const uint8_t *workBuffer,
                                         uint16_t dataLength,
                                         unsigned int *flags,
                                         __attribute__((unused)) unsigned int *tx) {

src_features/provideNFTInformation/cmd_provideNFTInfo.c

@@ -53,7 +53,7 @@ typedef bool verificationAlgo(const cx_ecfp_public_key_t *,
 
 void handleProvideNFTInformation(uint8_t p1,
                                  uint8_t p2,
-                                 uint8_t *workBuffer,
+                                 const uint8_t *workBuffer,
                                  uint16_t dataLength,
                                  unsigned int *flags,
                                  unsigned int *tx) {
@@ -218,7 +218,7 @@ void handleProvideNFTInformation(uint8_t p1,
                         hashId,
                         hash,
                         sizeof(hash),
-                        workBuffer + offset,
+                        (uint8_t *) workBuffer + offset,
                         signatureLen)) {
 #ifndef HAVE_BYPASS_SIGNATURES
         PRINTF("Invalid NFT signature\n");

src_features/setEth2WithdrawalIndex/cmd_setEth2WithdrawalIndex.c

@@ -5,7 +5,7 @@
 
 void handleSetEth2WithdrawalIndex(uint8_t p1,
                                   uint8_t p2,
-                                  uint8_t *dataBuffer,
+                                  const uint8_t *dataBuffer,
                                   uint16_t dataLength,
                                   __attribute__((unused)) unsigned int *flags,
                                   __attribute__((unused)) unsigned int *tx) {

src_features/setExternalPlugin/cmd_setExternalPlugin.c

@@ -7,7 +7,7 @@
 
 void handleSetExternalPlugin(uint8_t p1,
                              uint8_t p2,
-                             uint8_t *workBuffer,
+                             const uint8_t *workBuffer,
                              uint16_t dataLength,
                              unsigned int *flags,
                              unsigned int *tx) {

src_features/setPlugin/cmd_setPlugin.c

@@ -86,7 +86,7 @@ static pluginType_t getPluginType(char *pluginName, uint8_t pluginNameLength) {
 
 void handleSetPlugin(uint8_t p1,
                      uint8_t p2,
-                     uint8_t *workBuffer,
+                     const uint8_t *workBuffer,
                      uint16_t dataLength,
                      unsigned int *flags,
                      unsigned int *tx) {
@@ -248,7 +248,7 @@ void handleSetPlugin(uint8_t p1,
                         hashId,
                         hash,
                         sizeof(hash),
-                        workBuffer + offset,
+                        (unsigned char *) (workBuffer + offset),
                         signatureLen)) {
 #ifndef HAVE_BYPASS_SIGNATURES
         PRINTF("Invalid NFT signature\n");

src_features/signMessage/cmd_signMessage.c

@@ -113,45 +113,32 @@ static void feed_value_str(const uint8_t *const data, size_t length, bool is_asc
 
 void handleSignPersonalMessage(uint8_t p1,
                                uint8_t p2,
-                               uint8_t *workBuffer,
+                               const uint8_t *workBuffer,
                                uint16_t dataLength,
                                unsigned int *flags,
                                unsigned int *tx) {
     UNUSED(tx);
     uint8_t hashMessage[INT256_LENGTH];
+
     if (p1 == P1_FIRST) {
         char tmp[11] = {0};
-        uint32_t i;
-        if (dataLength < 1) {
-            PRINTF("Invalid data\n");
-            THROW(0x6a80);
-        }
+
         if (appState != APP_STATE_IDLE) {
             reset_app_context();
         }
         appState = APP_STATE_SIGNING_MESSAGE;
 
-        tmpCtx.messageSigningContext.pathLength = workBuffer[0];
-        if ((tmpCtx.messageSigningContext.pathLength < 0x01) ||
-            (tmpCtx.messageSigningContext.pathLength > MAX_BIP32_PATH)) {
-            PRINTF("Invalid path\n");
+        workBuffer = parseBip32(workBuffer, &dataLength, &tmpCtx.messageSigningContext.bip32);
+
+        if (workBuffer == NULL) {
             THROW(0x6a80);
         }
-        workBuffer++;
-        dataLength--;
-        for (i = 0; i < tmpCtx.messageSigningContext.pathLength; i++) {
-            if (dataLength < sizeof(uint32_t)) {
-                PRINTF("Invalid data\n");
-                THROW(0x6a80);
-            }
-            tmpCtx.messageSigningContext.bip32Path[i] = U4BE(workBuffer, 0);
-            workBuffer += sizeof(uint32_t);
-            dataLength -= sizeof(uint32_t);
-        }
+
         if (dataLength < sizeof(uint32_t)) {
             PRINTF("Invalid data\n");
             THROW(0x6a80);
         }
+
         tmpCtx.messageSigningContext.remainingLength = U4BE(workBuffer, 0);
         workBuffer += sizeof(uint32_t);
         dataLength -= sizeof(uint32_t);

src_features/signMessage/ui_common_signMessage.c

@@ -9,8 +9,8 @@ unsigned int io_seproxyhal_touch_signMessage_ok(__attribute__((unused)) const ba
     uint32_t tx = 0;
     io_seproxyhal_io_heartbeat();
     os_perso_derive_node_bip32(CX_CURVE_256K1,
-                               tmpCtx.messageSigningContext.bip32Path,
-                               tmpCtx.messageSigningContext.pathLength,
+                               tmpCtx.messageSigningContext.bip32.path,
+                               tmpCtx.messageSigningContext.bip32.length,
                                privateKeyData,
                                NULL);
     io_seproxyhal_io_heartbeat();

src_features/signMessageEIP712/cmd_signMessage712.c

@@ -5,12 +5,10 @@
 
 void handleSignEIP712Message(uint8_t p1,
                              uint8_t p2,
-                             uint8_t *workBuffer,
+                             const uint8_t *workBuffer,
                              uint16_t dataLength,
                              unsigned int *flags,
                              unsigned int *tx) {
-    uint8_t i;
-
     UNUSED(tx);
     if ((p1 != 00) || (p2 != 00)) {
         THROW(0x6B00);
@@ -18,31 +16,13 @@ void handleSignEIP712Message(uint8_t p1,
     if (appState != APP_STATE_IDLE) {
         reset_app_context();
     }
-    if (dataLength < 1) {
-        PRINTF("Invalid data\n");
-        THROW(0x6a80);
-    }
-    tmpCtx.messageSigningContext712.pathLength = workBuffer[0];
-    if ((tmpCtx.messageSigningContext712.pathLength < 0x01) ||
-        (tmpCtx.messageSigningContext712.pathLength > MAX_BIP32_PATH)) {
-        PRINTF("Invalid path\n");
-        THROW(0x6a80);
-    }
-    workBuffer++;
-    dataLength--;
-    for (i = 0; i < tmpCtx.messageSigningContext712.pathLength; i++) {
-        if (dataLength < 4) {
-            PRINTF("Invalid data\n");
-            THROW(0x6a80);
-        }
-        tmpCtx.messageSigningContext712.bip32Path[i] = U4BE(workBuffer, 0);
-        workBuffer += 4;
-        dataLength -= 4;
-    }
-    if (dataLength < 32 + 32) {
-        PRINTF("Invalid data\n");
+
+    workBuffer = parseBip32(workBuffer, &dataLength, &tmpCtx.messageSigningContext.bip32);
+
+    if (workBuffer == NULL || dataLength < 32 + 32) {
         THROW(0x6a80);
     }
+
     memmove(tmpCtx.messageSigningContext712.domainHash, workBuffer, 32);
     memmove(tmpCtx.messageSigningContext712.messageHash, workBuffer + 32, 32);
 

src_features/signMessageEIP712/ui_common_signMessage712.c

@@ -34,8 +34,8 @@ unsigned int io_seproxyhal_touch_signMessage712_v0_ok(__attribute__((unused))
     PRINTF("EIP712 hash to sign %.*H\n", 32, hash);
     io_seproxyhal_io_heartbeat();
     os_perso_derive_node_bip32(CX_CURVE_256K1,
-                               tmpCtx.messageSigningContext712.bip32Path,
-                               tmpCtx.messageSigningContext712.pathLength,
+                               tmpCtx.messageSigningContext712.bip32.path,
+                               tmpCtx.messageSigningContext712.bip32.length,
                                privateKeyData,
                                NULL);
     io_seproxyhal_io_heartbeat();

src_features/signTx/cmd_signTx.c

@@ -6,49 +6,39 @@
 
 void handleSign(uint8_t p1,
                 uint8_t p2,
-                uint8_t *workBuffer,
+                const uint8_t *workBuffer,
                 uint16_t dataLength,
                 unsigned int *flags,
                 unsigned int *tx) {
     UNUSED(tx);
     parserStatus_e txResult;
-    uint32_t i;
 
     if (os_global_pin_is_validated() != BOLOS_UX_OK) {
         PRINTF("Device is PIN-locked");
         THROW(0x6982);
     }
     if (p1 == P1_FIRST) {
-        if (dataLength < 1) {
-            PRINTF("Invalid data\n");
-            THROW(0x6a80);
-        }
         if (appState != APP_STATE_IDLE) {
             reset_app_context();
         }
         appState = APP_STATE_SIGNING_TX;
-        tmpCtx.transactionContext.pathLength = workBuffer[0];
-        if ((tmpCtx.transactionContext.pathLength < 0x01) ||
-            (tmpCtx.transactionContext.pathLength > MAX_BIP32_PATH)) {
-            PRINTF("Invalid path\n");
+
+        workBuffer = parseBip32(workBuffer, &dataLength, &tmpCtx.transactionContext.bip32);
+
+        if (workBuffer == NULL) {
             THROW(0x6a80);
         }
-        workBuffer++;
-        dataLength--;
-        for (i = 0; i < tmpCtx.transactionContext.pathLength; i++) {
-            if (dataLength < 4) {
-                PRINTF("Invalid data\n");
-                THROW(0x6a80);
-            }
-            tmpCtx.transactionContext.bip32Path[i] = U4BE(workBuffer, 0);
-            workBuffer += 4;
-            dataLength -= 4;
-        }
+
         tmpContent.txContent.dataPresent = false;
         dataContext.tokenContext.pluginStatus = ETH_PLUGIN_RESULT_UNAVAILABLE;
 
         initTx(&txContext, &global_sha3, &tmpContent.txContent, customProcessor, NULL);
 
+        if (dataLength < 1) {
+            PRINTF("Invalid data\n");
+            THROW(0x6a80);
+        }
+
         // EIP 2718: TransactionType might be present before the TransactionPayload.
         uint8_t txType = *workBuffer;
         if (txType >= MIN_TX_TYPE && txType <= MAX_TX_TYPE) {

src_features/signTx/logic_signTx.c

@@ -282,8 +282,8 @@ static void get_public_key(uint8_t *out, uint8_t outLength) {
     }
 
     os_perso_derive_node_bip32(CX_CURVE_256K1,
-                               tmpCtx.transactionContext.bip32Path,
-                               tmpCtx.transactionContext.pathLength,
+                               tmpCtx.transactionContext.bip32.path,
+                               tmpCtx.transactionContext.bip32.length,
                                privateKeyData,
                                NULL);
     cx_ecfp_init_private_key(CX_CURVE_256K1, privateKeyData, 32, &privateKey);

src_features/signTx/ui_common_signTx.c

@@ -10,8 +10,8 @@ unsigned int io_seproxyhal_touch_tx_ok(__attribute__((unused)) const bagl_elemen
     uint32_t tx = 0;
     io_seproxyhal_io_heartbeat();
     os_perso_derive_node_bip32(CX_CURVE_256K1,
-                               tmpCtx.transactionContext.bip32Path,
-                               tmpCtx.transactionContext.pathLength,
+                               tmpCtx.transactionContext.bip32.path,
+                               tmpCtx.transactionContext.bip32.length,
                                privateKeyData,
                                NULL);
     cx_ecfp_init_private_key(CX_CURVE_256K1, privateKeyData, 32, &privateKey);

src_features/stark_getPublicKey/cmd_stark_getPublicKey.c

@@ -8,33 +8,32 @@
 
 void handleStarkwareGetPublicKey(uint8_t p1,
                                  uint8_t p2,
-                                 uint8_t *dataBuffer,
+                                 const uint8_t *dataBuffer,
                                  uint16_t dataLength,
                                  unsigned int *flags,
                                  unsigned int *tx) {
-    UNUSED(dataLength);
-    uint8_t privateKeyData[32];
-    uint32_t bip32Path[MAX_BIP32_PATH];
-    uint32_t i;
-    uint8_t bip32PathLength = *(dataBuffer++);
+    bip32_path_t bip32;
     cx_ecfp_private_key_t privateKey;
+    uint8_t privateKeyData[32];
+
     reset_app_context();
-    if ((bip32PathLength < 0x01) || (bip32PathLength > MAX_BIP32_PATH)) {
-        PRINTF("Invalid path\n");
-        THROW(0x6a80);
-    }
+
     if ((p1 != P1_CONFIRM) && (p1 != P1_NON_CONFIRM)) {
         THROW(0x6B00);
     }
+
     if (p2 != 0) {
         THROW(0x6B00);
     }
-    for (i = 0; i < bip32PathLength; i++) {
-        bip32Path[i] = U4BE(dataBuffer, 0);
-        dataBuffer += 4;
+
+    dataBuffer = parseBip32(dataBuffer, &dataLength, &bip32);
+
+    if (dataBuffer == NULL) {
+        THROW(0x6a80);
     }
+
     io_seproxyhal_io_heartbeat();
-    starkDerivePrivateKey(bip32Path, bip32PathLength, privateKeyData);
+    starkDerivePrivateKey(bip32.path, bip32.length, privateKeyData);
     cx_ecfp_init_private_key(CX_CURVE_Stark256, privateKeyData, 32, &privateKey);
     io_seproxyhal_io_heartbeat();
     cx_ecfp_generate_pair(CX_CURVE_Stark256, &tmpCtx.publicKeyContext.publicKey, &privateKey, 1);

src_features/stark_provideQuantum/cmd_stark_provideQuantum.c

@@ -7,7 +7,7 @@
 
 void handleStarkwareProvideQuantum(uint8_t p1,
                                    __attribute__((unused)) uint8_t p2,
-                                   uint8_t *dataBuffer,
+                                   const uint8_t *dataBuffer,
                                    uint16_t dataLength,
                                    __attribute__((unused)) unsigned int *flags,
                                    __attribute__((unused)) unsigned int *tx) {
@@ -35,7 +35,7 @@ void handleStarkwareProvideQuantum(uint8_t p1,
         THROW(0x6700);
     }
     if (p1 == STARK_QUANTUM_LEGACY) {
-        addressZero = allzeroes(dataBuffer, 20);
+        addressZero = allzeroes((void *) dataBuffer, 20);
     }
     if ((p1 != STARK_QUANTUM_ETH) && !addressZero) {
         for (i = 0; i < MAX_ITEMS; i++) {

src_features/stark_sign/cmd_stark_sign.c

@@ -20,7 +20,7 @@ void handleStarkwareSignMessage(uint8_t p1,
                                 __attribute__((unused)) unsigned int *tx) {
     uint8_t privateKeyData[INT256_LENGTH];
     uint32_t i;
-    uint8_t bip32PathLength = *(dataBuffer);
+    uint8_t bip32PathLength;
     uint8_t offset = 1;
     cx_ecfp_private_key_t privateKey;
     poorstream_t bitstream;
@@ -29,10 +29,19 @@ void handleStarkwareSignMessage(uint8_t p1,
     uint8_t protocol = 2;
     uint8_t preOffset, postOffset;
     uint8_t zeroTest;
+
     // Initial checks
     if (appState != APP_STATE_IDLE) {
         reset_app_context();
     }
+
+    if (dataLength < 1) {
+        PRINTF("Invalid data\n");
+        THROW(0x6a80);
+    }
+
+    bip32PathLength = *(dataBuffer);
+
     if ((bip32PathLength < 0x01) || (bip32PathLength > MAX_BIP32_PATH)) {
         PRINTF("Invalid path\n");
         THROW(0x6a80);
@@ -70,10 +79,10 @@ void handleStarkwareSignMessage(uint8_t p1,
     if (p2 != 0) {
         THROW(0x6B00);
     }
-    tmpCtx.transactionContext.pathLength = bip32PathLength;
+    tmpCtx.transactionContext.bip32.length = bip32PathLength;
     for (i = 0; i < bip32PathLength; i++) {
-        tmpCtx.transactionContext.bip32Path[i] = U4BE(dataBuffer, offset);
-        PRINTF("Storing path %d %d\n", i, tmpCtx.transactionContext.bip32Path[i]);
+        tmpCtx.transactionContext.bip32.path[i] = U4BE(dataBuffer, offset);
+        PRINTF("Storing path %d %d\n", i, tmpCtx.transactionContext.bip32.path[i]);
         offset += 4;
     }
     // Discard the path to use part of dataBuffer as a temporary buffer
@@ -205,7 +214,9 @@ void handleStarkwareSignMessage(uint8_t p1,
         cx_ecfp_public_key_t publicKey;
         // Check if the transfer is a self transfer
         io_seproxyhal_io_heartbeat();
-        starkDerivePrivateKey(tmpCtx.transactionContext.bip32Path, bip32PathLength, privateKeyData);
+        starkDerivePrivateKey(tmpCtx.transactionContext.bip32.path,
+                              bip32PathLength,
+                              privateKeyData);
         cx_ecfp_init_private_key(CX_CURVE_Stark256, privateKeyData, 32, &privateKey);
         io_seproxyhal_io_heartbeat();
         cx_ecfp_generate_pair(CX_CURVE_Stark256, &publicKey, &privateKey, 1);

src_features/stark_sign/ui_common_stark_sign.c

@@ -10,8 +10,8 @@ unsigned int io_seproxyhal_touch_stark_ok(__attribute__((unused)) const bagl_ele
     uint8_t signature[72];
     uint32_t tx = 0;
     io_seproxyhal_io_heartbeat();
-    starkDerivePrivateKey(tmpCtx.transactionContext.bip32Path,
-                          tmpCtx.transactionContext.pathLength,
+    starkDerivePrivateKey(tmpCtx.transactionContext.bip32.path,
+                          tmpCtx.transactionContext.bip32.length,
                           privateKeyData);
     io_seproxyhal_io_heartbeat();
     stark_sign(signature,

src_features/stark_unsafe_sign/cmd_stark_unsafe_sign.c

@@ -8,41 +8,38 @@
 
 void handleStarkwareUnsafeSign(uint8_t p1,
                                uint8_t p2,
-                               uint8_t *dataBuffer,
+                               const uint8_t *dataBuffer,
                                uint16_t dataLength,
                                unsigned int *flags,
                                __attribute__((unused)) unsigned int *tx) {
-    uint32_t i;
     uint8_t privateKeyData[INT256_LENGTH];
     cx_ecfp_public_key_t publicKey;
     cx_ecfp_private_key_t privateKey;
-    uint8_t bip32PathLength = *(dataBuffer);
-    uint8_t offset = 1;
+
     // Initial checks
     if (appState != APP_STATE_IDLE) {
         reset_app_context();
     }
-    if ((bip32PathLength < 0x01) || (bip32PathLength > MAX_BIP32_PATH)) {
-        PRINTF("Invalid path\n");
-        THROW(0x6a80);
-    }
+
     if ((p1 != 0) || (p2 != 0)) {
         THROW(0x6B00);
     }
 
-    if (dataLength != 32 + 4 * bip32PathLength + 1) {
+    dataBuffer = parseBip32(dataBuffer, &dataLength, &tmpCtx.transactionContext.bip32);
+
+    if (dataBuffer == NULL) {
+        THROW(0x6a80);
+    }
+
+    if (dataLength != 32) {
         THROW(0x6700);
     }
 
-    tmpCtx.transactionContext.pathLength = bip32PathLength;
-    for (i = 0; i < bip32PathLength; i++) {
-        tmpCtx.transactionContext.bip32Path[i] = U4BE(dataBuffer, offset);
-        PRINTF("Storing path %d %d\n", i, tmpCtx.transactionContext.bip32Path[i]);
-        offset += 4;
-    }
-    memmove(dataContext.starkContext.w2, dataBuffer + offset, 32);
+    memmove(dataContext.starkContext.w2, dataBuffer, 32);
     io_seproxyhal_io_heartbeat();
-    starkDerivePrivateKey(tmpCtx.transactionContext.bip32Path, bip32PathLength, privateKeyData);
+    starkDerivePrivateKey(tmpCtx.transactionContext.bip32.path,
+                          tmpCtx.transactionContext.bip32.length,
+                          privateKeyData);
     cx_ecfp_init_private_key(CX_CURVE_Stark256, privateKeyData, 32, &privateKey);
     io_seproxyhal_io_heartbeat();
     cx_ecfp_generate_pair(CX_CURVE_Stark256, &publicKey, &privateKey, 1);

src_features/stark_unsafe_sign/ui_common_stark_unsafe_sign.c

@@ -13,8 +13,8 @@ unsigned int io_seproxyhal_touch_stark_unsafe_sign_ok(__attribute__((unused))
     unsigned int info = 0;
     uint32_t tx = 0;
     io_seproxyhal_io_heartbeat();
-    starkDerivePrivateKey(tmpCtx.transactionContext.bip32Path,
-                          tmpCtx.transactionContext.pathLength,
+    starkDerivePrivateKey(tmpCtx.transactionContext.bip32.path,
+                          tmpCtx.transactionContext.bip32.length,
                           privateKeyData);
     io_seproxyhal_io_heartbeat();
     cx_ecfp_init_private_key(CX_CURVE_Stark256, privateKeyData, 32, &privateKey);

src_plugins/starkware/starkware_plugin.c

@@ -367,8 +367,8 @@ void starkware_get_source_address(char *destination) {
     cx_ecfp_private_key_t privateKey;
     cx_ecfp_public_key_t publicKey;
     os_perso_derive_node_bip32(CX_CURVE_256K1,
-                               tmpCtx.transactionContext.bip32Path,
-                               tmpCtx.transactionContext.pathLength,
+                               tmpCtx.transactionContext.bip32.path,
+                               tmpCtx.transactionContext.bip32.length,
                                privateKeyData,
                                NULL);
     cx_ecfp_init_private_key(CX_CURVE_256K1, privateKeyData, 32, &privateKey);