Skip to content

Commit

Permalink
fix some buffer length calculations
Browse files Browse the repository at this point in the history
  • Loading branch information
@mrnerdhair
mrnerdhair committed Jul 7, 2021
1 parent cc35343 commit 772d47c
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 29 deletions.
26 changes: 13 additions & 13 deletions include/keepkey/transport/messages-tendermint.options
View file
Original file line number Diff line number Diff line change
@@ -1,22 +1,22 @@
TendermintGetAddress.address_n max_count:10
TendermintGetAddress.address_prefix max_size:10
TendermintGetAddress.chain_name max_size:15
TendermintGetAddress.address_prefix max_length:9
TendermintGetAddress.chain_name max_length:14

TendermintAddress.address max_size:46
TendermintAddress.address max_length:53

TendermintMsgAck.denom max_size:10
TendermintMsgAck.chain_name max_size:15
TendermintMsgAck.message_type_prefix max_size:25
TendermintMsgAck.denom max_length:9
TendermintMsgAck.chain_name max_length:14
TendermintMsgAck.message_type_prefix max_length:24

TendermintSignTx.address_n max_count:10
TendermintSignTx.chain_id max_size:32
TendermintSignTx.memo max_size:256
TendermintSignTx.denom max_size:10
TendermintSignTx.chain_name max_size:15
TendermintSignTx.message_type_prefix max_size:25
TendermintSignTx.chain_id max_length:31
TendermintSignTx.memo max_length:255
TendermintSignTx.denom max_length:9
TendermintSignTx.chain_name max_length:14
TendermintSignTx.message_type_prefix max_length:24

TendermintMsgSend.from_address max_size:46
TendermintMsgSend.to_address max_size:46
TendermintMsgSend.from_address max_length:53
TendermintMsgSend.to_address max_length:53

TendermintSignedTx.public_key max_size:33
TendermintSignedTx.signature max_size:64
4 changes: 2 additions & 2 deletions lib/firmware/fsm_msg_tendermint.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,9 +112,9 @@ void fsm_msgTendermintMsgAck(const TendermintMsgAck *msg) {
CHECK_PARAM(tendermint_signingIsInited(), "Signing not in progress");
if (!msg->has_send || !msg->send.has_to_address || !msg->send.has_amount) {
tendermint_signAbort();
// 21 + ^15 + 1 = 37
// 8 + ^14 + 13 + 1 = 36
char failmsg[40];
snprintf(failmsg, 40, "Invalid %s Message Type", msg->chain_name);
snprintf(failmsg, sizeof(failmsg), "Invalid %s Message Type", msg->chain_name);

fsm_sendFailure(FailureType_Failure_FirmwareError,
_(failmsg));
Expand Down
33 changes: 19 additions & 14 deletions lib/firmware/signtx_tendermint.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,10 +59,14 @@ bool tendermint_signTxInit(const HDNode *_node, const void *_msg, const size_t m
return false;
}

if (strnlen(denom, 10) > 9) {
return false;
}

memcpy((void *)&tmsg, _msg, msgsize);

bool success = true;
char buffer[64 + 1];
char buffer[128];

sha256_Init(&ctx);

Expand All @@ -77,7 +81,7 @@ bool tendermint_signTxInit(const HDNode *_node, const void *_msg, const size_t m
sha256_Update(&ctx, (uint8_t *)chainid_prefix, strlen(chainid_prefix));
tendermint_sha256UpdateEscaped(&ctx, tmsg.chain_id, strlen(tmsg.chain_id));

// 30 + ^10 + 19 = ^59
// 30 + ^10 + 11 + ^9 + 3 = ^63
success &=
tendermint_snprintf(&ctx, buffer, sizeof(buffer),
"\",\"fee\":{\"amount\":[{\"amount\":\"%" PRIu32
Expand All @@ -103,7 +107,7 @@ bool tendermint_signTxInit(const HDNode *_node, const void *_msg, const size_t m

bool tendermint_signTxUpdateMsgSend(const uint64_t amount, const char *to_address, const char *chainstr,
const char *denom, const char *msgTypePrefix) {
char buffer[64 + 1];
char buffer[128];
size_t decoded_len;
char hrp[45];
uint8_t decoded[38];
Expand All @@ -112,7 +116,12 @@ bool tendermint_signTxUpdateMsgSend(const uint64_t amount, const char *to_addres
return false;
}

char from_address[46];
if (strnlen(msgTypePrefix, 25) > 24 || strnlen(denom, 10) > 9 || strnlen(chainstr, 15) > 14) {
return false;
}

// ^14 + 39 + 1 = ^54
char from_address[54];
if (!tendermint_getAddress(&node, chainstr, from_address)) {
return false;
}
Expand All @@ -121,25 +130,21 @@ bool tendermint_signTxUpdateMsgSend(const uint64_t amount, const char *to_addres
sha256_Update(&ctx, (uint8_t *)",", 1);
}

if (strnlen(msgTypePrefix, 26) > 25 || strnlen(denom, 11) > 10 || strnlen(chainstr, 13) > 12) {
return false;
}

bool success = true;

// 9 + ^25 + 19 = ^53
// 9 + ^24 + 19 = ^52
success &= tendermint_snprintf(&ctx, buffer, sizeof(buffer), "{\"type\":\"%s/MsgSend\",\"value\":{", msgTypePrefix);

// 21 + ^20 + 19 = ^60
// 21 + ^20 + 11 + ^9 + 3 = ^64
success &= tendermint_snprintf(
&ctx, buffer, sizeof(buffer),
"\"amount\":[{\"amount\":\"%" PRIu64 "\",\"denom\":\"%s\"}]", amount, denom);

// 17 + 45 + 1 = 63
// 17 + ^53 + 1 = ^71
success &= tendermint_snprintf(&ctx, buffer, sizeof(buffer),
",\"from_address\":\"%s\"", from_address);

// 15 + 45 + 3 = 63
// 15 + ^53 + 3 = ^71
success &= tendermint_snprintf(&ctx, buffer, sizeof(buffer),
",\"to_address\":\"%s\"}}", to_address);

Expand All @@ -149,9 +154,9 @@ bool tendermint_signTxUpdateMsgSend(const uint64_t amount, const char *to_addres
}

bool tendermint_signTxFinalize(uint8_t *public_key, uint8_t *signature) {
char buffer[64 + 1];
char buffer[128];

// 16 + ^20 = ^36
// 14 + ^20 + 2 = ^36
if (!tendermint_snprintf(&ctx, buffer, sizeof(buffer),
"],\"sequence\":\"%" PRIu64 "\"}", tmsg.sequence))
return false;
Expand Down

0 comments on commit 772d47c

Please sign in to comment.