Set a maximum accepted challenge size. am: 25924fca88 am: e8c600c4b1 am: 2ea23a0146 am: 8d85ac2bb6

Original change: https://android-review.googlesource.com/c/platform/system/keymaster/+/2504175

Change-Id: I7e8e8f060f33620cfe59bbbc6880deb013de10ec
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

1 files changed, 9 insertions, 0 deletions

diff --git a/android_keymaster/android_keymaster.cpp b/android_keymaster/android_keymaster.cpp
index 94b3e99..4a97bad 100644
--- a/android_keymaster/android_keymaster.cpp
+++ b/android_keymaster/android_keymaster.cpp
@@ -134,6 +134,7 @@ std::pair<const uint8_t*, size_t> blob2Pair(const keymaster_blob_t& blob) {
     return {blob.data, blob.data_length};
 }
 
+constexpr int kMaxChallengeSizeV2 = 64;
 constexpr int kP256AffinePointSize = 32;
 constexpr int kRoTVersion1 = 40001;
 
@@ -525,6 +526,14 @@ void AndroidKeymaster::GenerateCsrV2(const GenerateCsrV2Request& request,
 
     if (response == nullptr) return;
 
+    if (request.challenge.size() > kMaxChallengeSizeV2) {
+        LOG_E("Challenge is too large. %zu expected. %zu actual.",
+              kMaxChallengeSizeV2,        //
+              request.challenge.size());  //
+        response->error = static_cast<keymaster_error_t>(kStatusFailed);
+        return;
+    }
+
     auto rem_prov_ctx = context_->GetRemoteProvisioningContext();
     if (rem_prov_ctx == nullptr) {
         LOG_E("Couldn't get a pointer to the remote provisioning context, returned null.", 0);