Fix multiple vulnerabilities

2022-07-08 11:12:50 +02:00
parent 4eb7109b86
commit e0218520d8
20 changed files with 166 additions and 168 deletions
--- a/src_features/signMessage/cmd_signMessage.c
+++ b/src_features/signMessage/cmd_signMessage.c
@@ -119,39 +119,26 @@ void handleSignPersonalMessage(uint8_t p1,
                               unsigned int *tx) {
    UNUSED(tx);
    uint8_t hashMessage[INT256_LENGTH];
+
    if (p1 == P1_FIRST) {
        char tmp[11] = {0};
-        uint32_t i;
-        if (dataLength < 1) {
-            PRINTF("Invalid data\n");
-            THROW(0x6a80);
-        }
+
        if (appState != APP_STATE_IDLE) {
            reset_app_context();
        }
        appState = APP_STATE_SIGNING_MESSAGE;

-        tmpCtx.messageSigningContext.pathLength = workBuffer[0];
-        if ((tmpCtx.messageSigningContext.pathLength < 0x01) ||
-            (tmpCtx.messageSigningContext.pathLength > MAX_BIP32_PATH)) {
-            PRINTF("Invalid path\n");
+        workBuffer = parseBip32(workBuffer, &dataLength, &tmpCtx.messageSigningContext.bip32);
+
+        if (workBuffer == NULL) {
            THROW(0x6a80);
        }
-        workBuffer++;
-        dataLength--;
-        for (i = 0; i < tmpCtx.messageSigningContext.pathLength; i++) {
-            if (dataLength < sizeof(uint32_t)) {
-                PRINTF("Invalid data\n");
-                THROW(0x6a80);
-            }
-            tmpCtx.messageSigningContext.bip32Path[i] = U4BE(workBuffer, 0);
-            workBuffer += sizeof(uint32_t);
-            dataLength -= sizeof(uint32_t);
-        }
+
        if (dataLength < sizeof(uint32_t)) {
            PRINTF("Invalid data\n");
            THROW(0x6a80);
        }
+
        tmpCtx.messageSigningContext.remainingLength = U4BE(workBuffer, 0);
        workBuffer += sizeof(uint32_t);
        dataLength -= sizeof(uint32_t);
--- a/src_features/signMessage/ui_common_signMessage.c
+++ b/src_features/signMessage/ui_common_signMessage.c
@@ -9,8 +9,8 @@ unsigned int io_seproxyhal_touch_signMessage_ok(__attribute__((unused)) const ba
    uint32_t tx = 0;
    io_seproxyhal_io_heartbeat();
    os_perso_derive_node_bip32(CX_CURVE_256K1,
-                               tmpCtx.messageSigningContext.bip32Path,
-                               tmpCtx.messageSigningContext.pathLength,
+                               tmpCtx.messageSigningContext.bip32.path,
+                               tmpCtx.messageSigningContext.bip32.length,
                               privateKeyData,
                               NULL);
    io_seproxyhal_io_heartbeat();