Untitled
unknown
plain_text
4 months ago
1.5 kB
3
Indexable
qseeAppMain.c
...
void tz_app_cmd_handler(void *req, uint32_t reqLen, void *rsp, uint32_t rspLen)
{
int32_t ret;
CmdRsp_t rspBuf;
CmdReq_t reqBuf;
const size_t maxDataSize = getTaMaxDataSize(TA_PROV);
if(req == NULL || rsp == NULL)
{
LOGE("Buffer is invalid - %d %d.", reqLen, rspLen);
return;
}
if(qsee_is_ns_range(req, reqLen) || qsee_is_ns_range(rsp, rspLen))
{
LOGE("Buffer is located at non-secure memory.");
((CmdPtrRsp_t *)rsp)->status = ERR_TA_NOT_SECURE;
return;
}
if(!checkBspSecureState())
{
((CmdPtrRsp_t *)rsp)->status = ERR_SECURE_BOOT_DISABLED;
return;
}
// Allocator initialize.
if((ret = secMemoryManagerInit()) != NOT_ERROR)
{
((CmdPtrRsp_t *)rsp)->status = ret;
return;
}
// crypto engine init
CRYPTO_init();
memset(&reqBuf, 0, sizeof(reqBuf));
memset(&rspBuf, 0, sizeof(rspBuf));
if((reqBuf.data = (uint8_t *)secMemoryManagerMalloc(maxDataSize)) == NULL)
{
LOGE("Failed to allocate memory.");
((CmdPtrRsp_t *)rsp)->status = ERR_TA_NOT_ENOUGH_MEMORY;
return;
}
if((rspBuf.data = (uint8_t *)secMemoryManagerMalloc(maxDataSize)) == NULL)
{
LOGE("Failed to allocate memory.");
secMemoryManagerFree(reqBuf.data);
((CmdPtrRsp_t *)rsp)->status = ERR_TA_NOT_ENOUGH_MEMORY;
return;
}
memset(reqBuf.data, 0, maxDataSize);
memset(rspBuf.data, 0, maxDataSize);
memcpy(&reqBuf, req, TA_BUFFER_HEADER_LEN); // <-- Out-of-bounds Read
...Leave a Comment