commit bb9f4392c2f1b11be3acdc1737828274ff1ec55b
author Chad Brubaker <cbrubaker@google.com> Wed Jul 29 13:53:36 2015 -0700
committer The Android Automerger <android-build@google.com> Thu Aug 13 19:41:57 2015 -0700
tree 7b7a98657e51cf1dfe99324dd10da386d98d45c4
parent cd44a6b68316929039721ca5254bed48280dd40b

Fix unchecked length in Blob creation

Applications can specify arbitrary blobs using insert(), check their
length to prevent overflow issues.

Bug:22802399
Change-Id: I4097bd891c733914df70da5e2c58783081d913bf

keystore/keystore.cpp

diff --git a/keystore/keystore.cpp b/keystore/keystore.cpp
index 63f7ee2..58d2fd6 100644
--- a/keystore/keystore.cpp
+++ b/keystore/keystore.cpp
@@ -485,8 +485,16 @@
 
 class Blob {
 public:
-    Blob(const uint8_t* value, int32_t valueLength, const uint8_t* info, uint8_t infoLength,
+    Blob(const uint8_t* value, size_t valueLength, const uint8_t* info, uint8_t infoLength,
             BlobType type) {
+        if (valueLength > sizeof(mBlob.value)) {
+            valueLength = sizeof(mBlob.value);
+            ALOGW("Provided blob length too large");
+        }
+        if (infoLength + valueLength > sizeof(mBlob.value)) {
+            infoLength = sizeof(mBlob.value) - valueLength;
+            ALOGW("Provided info length too large");
+        }
         mBlob.length = valueLength;
         memcpy(mBlob.value, value, valueLength);