Set a maximum accepted challenge size. am: 25924fca88 am: e8c600c4b1

Original change: https://android-review.googlesource.com/c/platform/system/keymaster/+/2504175

Change-Id: Ifbeee71d0fc6c69c37db82982a589e06d297f8fc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

1 files changed, 9 insertions, 0 deletions

diff --git a/android_keymaster/android_keymaster.cpp b/android_keymaster/android_keymaster.cpp
index 94b3e99..4a97bad 100644
--- a/android_keymaster/android_keymaster.cpp
+++ b/android_keymaster/android_keymaster.cpp
@@ -134,6 +134,7 @@ std::pair<const uint8_t*, size_t> blob2Pair(const keymaster_blob_t& blob) {
     return {blob.data, blob.data_length};
 }
 
+constexpr int kMaxChallengeSizeV2 = 64;
 constexpr int kP256AffinePointSize = 32;
 constexpr int kRoTVersion1 = 40001;
 
@@ -525,6 +526,14 @@ void AndroidKeymaster::GenerateCsrV2(const GenerateCsrV2Request& request,
 
     if (response == nullptr) return;
 
+    if (request.challenge.size() > kMaxChallengeSizeV2) {
+        LOG_E("Challenge is too large. %zu expected. %zu actual.",
+              kMaxChallengeSizeV2,        //
+              request.challenge.size());  //
+        response->error = static_cast<keymaster_error_t>(kStatusFailed);
+        return;
+    }
+
     auto rem_prov_ctx = context_->GetRemoteProvisioningContext();
     if (rem_prov_ctx == nullptr) {
         LOG_E("Couldn't get a pointer to the remote provisioning context, returned null.", 0);