fix(tools): change data type to size_t for doimage
In image_encrypt function, vulnerability arises
due to a mismatch between unsigned and signed
integer types. When a large unsigned integer
is returned by strlen and stored into signed
integer k, the value represented is a large
negative integer. This bypasses the subsequent
check against AES_BLOCK_SZ and allows a buffer
overflow to happen at memcpy.
Similar, vulnerability issue is fixed in
function verify_and_copy_file_name_entry.
Change-Id: I658521c1eec1c79933ba8082ba507df04d174e52
Signed-off-by: Jaiprakash Singh <jaiprakashs@marvell.com>
diff --git a/tools/marvell/doimage/doimage.c b/tools/marvell/doimage/doimage.c
index 1f0985c..12e1327 100644
--- a/tools/marvell/doimage/doimage.c
+++ b/tools/marvell/doimage/doimage.c
@@ -421,7 +421,7 @@
char *ptmp = (char *)&tv;
unsigned char digest[32];
unsigned char IV[AES_BLOCK_SZ];
- int i, k;
+ size_t i, k;
mbedtls_aes_context aes_ctx;
int rval = -1;
uint8_t *test_img = 0;
@@ -516,7 +516,8 @@
for (i = 0; i < blen; i++) {
if (buf[i] != test_img[i]) {
fprintf(stderr, "Failed to compare the image after");
- fprintf(stderr, " decryption! Byte count is %d\n", i);
+ fprintf(stderr, " decryption! Byte count is %lu\n",
+ (unsigned long)i);
rval = -1;
goto encrypt_exit;
}
@@ -614,11 +615,11 @@
int verify_and_copy_file_name_entry(const char *element_name,
const char *element, char *copy_to)
{
- int element_length = strlen(element);
+ size_t element_length = strlen(element);
if (element_length >= MAX_FILENAME) {
- fprintf(stderr, "The file name %s for %s is too long (%d). ",
- element, element_name, element_length);
+ fprintf(stderr, "The file name %s for %s is too long (%lu). ",
+ element, element_name, (unsigned long)element_length);
fprintf(stderr, "Maximum allowed %d characters!\n",
MAX_FILENAME);
return -1;