Merge pull request #269 from nasa/268-oob-read-branch-rebase

268 oob read branch rebase

include/crypto_error.h

@@ -124,6 +124,7 @@
 #define CRYPTO_LIB_ERR_FAIL_SA_SAVE (-52)
 #define CRYPTO_LIB_ERR_FAIL_SA_LOAD (-53)
 #define CRYPTO_LIB_ERR_KEY_VALIDATION (-54)
+#define CRYPTO_LIB_ERR_SPI_INDEX_OOB (-55)
 
 extern char *crypto_enum_errlist_core[];
 extern char *crypto_enum_errlist_config[];

src/core/crypto_tc.c

@@ -1762,6 +1762,11 @@ int32_t Crypto_TC_ProcessSecurity_Cam(uint8_t* ingest, int* len_ingest, TC_t* tc
 #endif
 
     status = Crypto_TC_Sanity_Validations(tc_sdls_processed_frame, &sa_ptr);
+    if (status != CRYPTO_LIB_SUCCESS)
+    {
+        mc_if->mc_log(status);
+        return status;
+    }
 
     // Allocate the necessary byte arrays within the security header + trailer given the SA
     //tc_sdls_processed_frame->tc_sec_header.iv = calloc(1, sa_ptr->iv_len);

src/sa/internal/sa_interface_inmemory.template.c

@@ -704,6 +704,11 @@ static int32_t sa_close(void)
 static int32_t sa_get_from_spi(uint16_t spi, SecurityAssociation_t** security_association)
 {
     int32_t status = CRYPTO_LIB_SUCCESS;
+    // Check if spi index in sa array
+    if (spi >= NUM_SA)
+    {
+        return CRYPTO_LIB_ERR_SPI_INDEX_OOB;
+    }
     *security_association = &sa[spi];
     // if (sa[spi].shivf_len > 0 && crypto_config.cryptography_type != CRYPTOGRAPHY_TYPE_KMCCRYPTO)
     // {

test/unit/ut_aos_process.c

@@ -798,4 +798,34 @@ UTEST(AOS_PROCESS, AEAD_GCM_BITMASK_1)
     free(ptr_processed_frame);
 }
 
+UTEST(AOS_PROCESS, AOS_SA_SEGFAULT_TEST)
+{
+    // Local Variables
+    int32_t status = CRYPTO_LIB_SUCCESS;
+    uint8_t* ptr_processed_frame = NULL;
+    uint16_t processed_aos_len;
+
+    // Configure Parameters
+    Crypto_Config_CryptoLib(KEY_TYPE_INTERNAL, MC_TYPE_INTERNAL, SA_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, 
+                            IV_INTERNAL, CRYPTO_AOS_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR,
+                            TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE,
+                            AOS_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE);
+    // AOS Tests
+    Crypto_Config_Add_Gvcid_Managed_Parameter(1, 0x002c, 0, AOS_HAS_FECF, AOS_SEGMENT_HDRS_NA, AOS_NO_OCF, 1786, AOS_NO_FHEC, AOS_HAS_IZ, 10);
+    status = Crypto_Init();
+
+    // Test frame setup
+    char* framed_aos_h = "42C00000000000000000000000000000FFFF";
+    char* framed_aos_b = NULL;
+    int framed_aos_len = 0;
+    hex_conversion(framed_aos_h, &framed_aos_b, &framed_aos_len);
+
+    status = Crypto_AOS_ProcessSecurity((uint8_t* )framed_aos_b, framed_aos_len, &ptr_processed_frame, &processed_aos_len);
+    ASSERT_EQ(CRYPTO_LIB_ERR_SPI_INDEX_OOB, status);
+
+    Crypto_Shutdown();
+    free(framed_aos_b);
+    free(ptr_processed_frame);
+}
+
 UTEST_MAIN();

test/unit/ut_tc_process.c

@@ -939,4 +939,38 @@ UTEST(TC_PROCESS, GCM_IV_AND_ARSN)
     free(tc_nist_processed_frame);
 }
 
+UTEST(TC_PROCESS, TC_SA_SEGFAULT_TEST)
+{
+    // Local Variables
+    int32_t status = CRYPTO_LIB_SUCCESS;
+
+    // Configure Parameters
+    Crypto_Config_CryptoLib(KEY_TYPE_INTERNAL, MC_TYPE_INTERNAL, SA_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, 
+                            IV_INTERNAL, CRYPTO_TC_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR,
+                            TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_TRUE, TC_UNIQUE_SA_PER_MAP_ID_FALSE,
+                            TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE);
+    // AOS Tests
+    Crypto_Config_Add_Gvcid_Managed_Parameter(0, 0x0003, 0, TC_HAS_FECF, TC_HAS_SEGMENT_HDRS, TC_OCF_NA, 1024, AOS_FHEC_NA, AOS_IZ_NA, 0);
+    status = Crypto_Init();
+
+    TC_t* tc_sdls_processed_frame;
+    tc_sdls_processed_frame = malloc(sizeof(uint8_t) * TC_SIZE);
+    memset(tc_sdls_processed_frame, 0, (sizeof(uint8_t) * TC_SIZE));
+
+    // Test frame setup
+    char* test_frame_pt_h = "2003002A000000FF00000000000000000000000000000000025364F9BC3344AF359DA06CA886748F59A0AB";
+    uint8_t *test_frame_pt_b = NULL;
+    int test_frame_pt_len = 0;
+
+    // Convert input test frame
+    hex_conversion(test_frame_pt_h, (char**) &test_frame_pt_b, &test_frame_pt_len);
+
+    status = Crypto_TC_ProcessSecurity(test_frame_pt_b, &test_frame_pt_len, tc_sdls_processed_frame);
+
+    ASSERT_EQ(CRYPTO_LIB_ERR_SPI_INDEX_OOB, status);
+    free(test_frame_pt_b);
+    free(tc_sdls_processed_frame);
+    Crypto_Shutdown();
+}
+
 UTEST_MAIN();

test/unit/ut_tm_process.c

@@ -1072,4 +1072,34 @@ UTEST(TM_PROCESS_ENC_VAL, AEAD_AES_GCM_BITMASK_1)
     free(iv_b);
 }
 
+UTEST(TM_PROCESS, TM_SA_SEGFAULT_TEST)
+{
+    // Local Variables
+    int32_t status = CRYPTO_LIB_SUCCESS;
+    uint8_t* ptr_processed_frame = NULL;
+    uint16_t processed_tm_len;
+
+    // Configure Parameters
+    Crypto_Config_CryptoLib(KEY_TYPE_INTERNAL, MC_TYPE_INTERNAL, SA_TYPE_INMEMORY, CRYPTOGRAPHY_TYPE_LIBGCRYPT, 
+                            IV_INTERNAL, CRYPTO_TM_CREATE_FECF_TRUE, TC_PROCESS_SDLS_PDUS_TRUE, TC_HAS_PUS_HDR,
+                            TC_IGNORE_SA_STATE_FALSE, TC_IGNORE_ANTI_REPLAY_FALSE, TC_UNIQUE_SA_PER_MAP_ID_FALSE,
+                            TC_CHECK_FECF_TRUE, 0x3F, SA_INCREMENT_NONTRANSMITTED_IV_TRUE);
+    // AOS Tests
+    Crypto_Config_Add_Gvcid_Managed_Parameter(1, 0x002c, 0, AOS_HAS_FECF, AOS_SEGMENT_HDRS_NA, AOS_NO_OCF, 1786, AOS_NO_FHEC, AOS_HAS_IZ, 10);
+    status = Crypto_Init();
+
+    // Test frame setup
+    char* framed_tm_h = "02c000001800FFFF";
+    char* framed_tm_b = NULL;
+    int framed_tm_len = 0;
+    hex_conversion(framed_tm_h, &framed_tm_b, &framed_tm_len);
+
+    status = Crypto_TM_ProcessSecurity((uint8_t* )framed_tm_b, framed_tm_len, &ptr_processed_frame, &processed_tm_len);
+    ASSERT_EQ(CRYPTO_LIB_ERR_SPI_INDEX_OOB, status);
+
+    Crypto_Shutdown();
+    free(framed_tm_b);
+    free(ptr_processed_frame);
+}
+
 UTEST_MAIN();