Closed invd closed 3 years ago
I'm interested in patching up this potentially undefined behavior bug on my fork. Where can I find the internally proposed patch for this?
Is it enough to just change the line to this?
new_mnemonic[MAX(1u, strnlen(new_mnemonic, sizeof(new_mnemonic)) - 1)] = '\0';
From what I can tell looking at the code above, new_mnemonic
is a single-space delimited list of seed words. The last character of this array should be a space which gets replaced by a \0
null character.
@greatwolf : this has been solved recently in the master branch through commit 04fbc47284d2a08342bf4d9a2049fa2a15a9620a . Note that there are two 1u
changes on the line.
This issue is now resolved, closing.
Reopening, the current patch is incorrect. Details have been communicated to KeepKey.
This has been fixed through https://github.com/keepkey/keepkey-firmware/commit/974f2bee29a2542a326da6d9c2b05e8f7db74e4a , closing.
The following write operation can go out of bounds since the inner
strnlen()
call can return 0. This allows an unsigned integer underflow after subtracting1
.https://github.com/keepkey/keepkey-firmware/blob/a988325501ca75554a253bb7e8b2bf4511e92747/lib/firmware/recovery_cipher.c#L591
Technical notes
Organizational notes
I suggest applying the internally proposed patch.