Fix multiple vulnerabilities

2022-07-08 11:12:50 +02:00
parent 4eb7109b86
commit e0218520d8
20 changed files with 166 additions and 168 deletions
--- a/src_features/signMessageEIP712/cmd_signMessage712.c
+++ b/src_features/signMessageEIP712/cmd_signMessage712.c
@@ -9,8 +9,6 @@ void handleSignEIP712Message(uint8_t p1,
                             uint16_t dataLength,
                             unsigned int *flags,
                             unsigned int *tx) {
-    uint8_t i;
-
    UNUSED(tx);
    if ((p1 != 00) || (p2 != 00)) {
        THROW(0x6B00);
@@ -18,31 +16,13 @@ void handleSignEIP712Message(uint8_t p1,
    if (appState != APP_STATE_IDLE) {
        reset_app_context();
    }
-    if (dataLength < 1) {
-        PRINTF("Invalid data\n");
-        THROW(0x6a80);
-    }
-    tmpCtx.messageSigningContext712.pathLength = workBuffer[0];
-    if ((tmpCtx.messageSigningContext712.pathLength < 0x01) ||
-        (tmpCtx.messageSigningContext712.pathLength > MAX_BIP32_PATH)) {
-        PRINTF("Invalid path\n");
-        THROW(0x6a80);
-    }
-    workBuffer++;
-    dataLength--;
-    for (i = 0; i < tmpCtx.messageSigningContext712.pathLength; i++) {
-        if (dataLength < 4) {
-            PRINTF("Invalid data\n");
-            THROW(0x6a80);
-        }
-        tmpCtx.messageSigningContext712.bip32Path[i] = U4BE(workBuffer, 0);
-        workBuffer += 4;
-        dataLength -= 4;
-    }
-    if (dataLength < 32 + 32) {
-        PRINTF("Invalid data\n");
+
+    workBuffer = parseBip32(workBuffer, &dataLength, &tmpCtx.messageSigningContext.bip32);
+
+    if (workBuffer == NULL || dataLength < 32 + 32) {
        THROW(0x6a80);
    }
+
    memmove(tmpCtx.messageSigningContext712.domainHash, workBuffer, 32);
    memmove(tmpCtx.messageSigningContext712.messageHash, workBuffer + 32, 32);