From 56d67360ef4f0e480baa595cca24d526d14e1680 Mon Sep 17 00:00:00 2001 From: Seppo Takalo Date: Wed, 27 Nov 2019 15:55:12 +0200 Subject: [PATCH] SecureStore: Validate internal header size before using its values. --- features/storage/kvstore/securestore/SecureStore.cpp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/features/storage/kvstore/securestore/SecureStore.cpp b/features/storage/kvstore/securestore/SecureStore.cpp index 0331c5eedd..f6e617c77b 100644 --- a/features/storage/kvstore/securestore/SecureStore.cpp +++ b/features/storage/kvstore/securestore/SecureStore.cpp @@ -530,6 +530,7 @@ int SecureStore::do_get(const char *key, void *buffer, size_t buffer_size, size_ uint8_t *dest_buf; bool enc_started = false, auth_started = false; uint32_t create_flags; + size_t read_len; if (!is_valid_key(key)) { return MBED_ERROR_INVALID_ARGUMENT; @@ -548,7 +549,7 @@ int SecureStore::do_get(const char *key, void *buffer, size_t buffer_size, size_ } } - ret = _underlying_kv->get(key, &ih->metadata, sizeof(record_metadata_t)); + ret = _underlying_kv->get(key, &ih->metadata, sizeof(record_metadata_t), &read_len); if (ret) { // In case we have the key in the RBP KV, then even if the key wasn't found in // the underlying KV, we may have been exposed to an attack. Return an RBP authentication error. @@ -558,6 +559,12 @@ int SecureStore::do_get(const char *key, void *buffer, size_t buffer_size, size_ goto end; } + // Validate header size + if ((read_len != sizeof(record_metadata_t)) || (ih->metadata.metadata_size != sizeof(record_metadata_t))) { + ret = MBED_ERROR_RBP_AUTHENTICATION_FAILED; + goto end; + } + create_flags = ih->metadata.create_flags; if (!_rbp_kv) { create_flags &= ~REQUIRE_REPLAY_PROTECTION_FLAG;