diff --git a/include/keepkey/transport/messages-tendermint.options b/include/keepkey/transport/messages-tendermint.options index 8d071571..5fc137f0 100644 --- a/include/keepkey/transport/messages-tendermint.options +++ b/include/keepkey/transport/messages-tendermint.options @@ -1,22 +1,22 @@ TendermintGetAddress.address_n max_count:10 -TendermintGetAddress.address_prefix max_size:10 -TendermintGetAddress.chain_name max_size:15 +TendermintGetAddress.address_prefix max_length:9 +TendermintGetAddress.chain_name max_length:14 -TendermintAddress.address max_size:46 +TendermintAddress.address max_length:53 -TendermintMsgAck.denom max_size:10 -TendermintMsgAck.chain_name max_size:15 -TendermintMsgAck.message_type_prefix max_size:25 +TendermintMsgAck.denom max_length:9 +TendermintMsgAck.chain_name max_length:14 +TendermintMsgAck.message_type_prefix max_length:24 TendermintSignTx.address_n max_count:10 -TendermintSignTx.chain_id max_size:32 -TendermintSignTx.memo max_size:256 -TendermintSignTx.denom max_size:10 -TendermintSignTx.chain_name max_size:15 -TendermintSignTx.message_type_prefix max_size:25 +TendermintSignTx.chain_id max_length:31 +TendermintSignTx.memo max_length:255 +TendermintSignTx.denom max_length:9 +TendermintSignTx.chain_name max_length:14 +TendermintSignTx.message_type_prefix max_length:24 -TendermintMsgSend.from_address max_size:46 -TendermintMsgSend.to_address max_size:46 +TendermintMsgSend.from_address max_length:53 +TendermintMsgSend.to_address max_length:53 TendermintSignedTx.public_key max_size:33 TendermintSignedTx.signature max_size:64 diff --git a/lib/firmware/fsm_msg_tendermint.h b/lib/firmware/fsm_msg_tendermint.h index 30c8ef8a..53d0a2f5 100644 --- a/lib/firmware/fsm_msg_tendermint.h +++ b/lib/firmware/fsm_msg_tendermint.h @@ -112,9 +112,9 @@ void fsm_msgTendermintMsgAck(const TendermintMsgAck *msg) { CHECK_PARAM(tendermint_signingIsInited(), "Signing not in progress"); if (!msg->has_send || !msg->send.has_to_address || !msg->send.has_amount) { tendermint_signAbort(); - // 21 + ^15 + 1 = 37 + // 8 + ^14 + 13 + 1 = 36 char failmsg[40]; - snprintf(failmsg, 40, "Invalid %s Message Type", msg->chain_name); + snprintf(failmsg, sizeof(failmsg), "Invalid %s Message Type", msg->chain_name); fsm_sendFailure(FailureType_Failure_FirmwareError, _(failmsg)); diff --git a/lib/firmware/signtx_tendermint.c b/lib/firmware/signtx_tendermint.c index e4cdaa46..a6baa433 100644 --- a/lib/firmware/signtx_tendermint.c +++ b/lib/firmware/signtx_tendermint.c @@ -59,10 +59,14 @@ bool tendermint_signTxInit(const HDNode *_node, const void *_msg, const size_t m return false; } + if (strnlen(denom, 10) > 9) { + return false; + } + memcpy((void *)&tmsg, _msg, msgsize); bool success = true; - char buffer[64 + 1]; + char buffer[128]; sha256_Init(&ctx); @@ -77,7 +81,7 @@ bool tendermint_signTxInit(const HDNode *_node, const void *_msg, const size_t m sha256_Update(&ctx, (uint8_t *)chainid_prefix, strlen(chainid_prefix)); tendermint_sha256UpdateEscaped(&ctx, tmsg.chain_id, strlen(tmsg.chain_id)); - // 30 + ^10 + 19 = ^59 + // 30 + ^10 + 11 + ^9 + 3 = ^63 success &= tendermint_snprintf(&ctx, buffer, sizeof(buffer), "\",\"fee\":{\"amount\":[{\"amount\":\"%" PRIu32 @@ -103,7 +107,7 @@ bool tendermint_signTxInit(const HDNode *_node, const void *_msg, const size_t m bool tendermint_signTxUpdateMsgSend(const uint64_t amount, const char *to_address, const char *chainstr, const char *denom, const char *msgTypePrefix) { - char buffer[64 + 1]; + char buffer[128]; size_t decoded_len; char hrp[45]; uint8_t decoded[38]; @@ -112,7 +116,12 @@ bool tendermint_signTxUpdateMsgSend(const uint64_t amount, const char *to_addres return false; } - char from_address[46]; + if (strnlen(msgTypePrefix, 25) > 24 || strnlen(denom, 10) > 9 || strnlen(chainstr, 15) > 14) { + return false; + } + + // ^14 + 39 + 1 = ^54 + char from_address[54]; if (!tendermint_getAddress(&node, chainstr, from_address)) { return false; } @@ -121,25 +130,21 @@ bool tendermint_signTxUpdateMsgSend(const uint64_t amount, const char *to_addres sha256_Update(&ctx, (uint8_t *)",", 1); } - if (strnlen(msgTypePrefix, 26) > 25 || strnlen(denom, 11) > 10 || strnlen(chainstr, 13) > 12) { - return false; - } - bool success = true; - // 9 + ^25 + 19 = ^53 + // 9 + ^24 + 19 = ^52 success &= tendermint_snprintf(&ctx, buffer, sizeof(buffer), "{\"type\":\"%s/MsgSend\",\"value\":{", msgTypePrefix); - // 21 + ^20 + 19 = ^60 + // 21 + ^20 + 11 + ^9 + 3 = ^64 success &= tendermint_snprintf( &ctx, buffer, sizeof(buffer), "\"amount\":[{\"amount\":\"%" PRIu64 "\",\"denom\":\"%s\"}]", amount, denom); - // 17 + 45 + 1 = 63 + // 17 + ^53 + 1 = ^71 success &= tendermint_snprintf(&ctx, buffer, sizeof(buffer), ",\"from_address\":\"%s\"", from_address); - // 15 + 45 + 3 = 63 + // 15 + ^53 + 3 = ^71 success &= tendermint_snprintf(&ctx, buffer, sizeof(buffer), ",\"to_address\":\"%s\"}}", to_address); @@ -149,9 +154,9 @@ bool tendermint_signTxUpdateMsgSend(const uint64_t amount, const char *to_addres } bool tendermint_signTxFinalize(uint8_t *public_key, uint8_t *signature) { - char buffer[64 + 1]; + char buffer[128]; - // 16 + ^20 = ^36 + // 14 + ^20 + 2 = ^36 if (!tendermint_snprintf(&ctx, buffer, sizeof(buffer), "],\"sequence\":\"%" PRIu64 "\"}", tmsg.sequence)) return false;