From cedc4f22ac54aa2e91f5b7c8e6a6a8f07a3f05e6 Mon Sep 17 00:00:00 2001
From: Andrey Pronin <apronin@chromium.org>
Date: Thu, 2 Jan 2020 14:11:33 -0800
Subject: cr50: update size checks for U2F_ATTEST

This CL updates verification of the message size in U2F_ATTEST after
adding userSecret field.

BUG=b:147020573
TEST=test_that <dut> firmware_Cr50U2fCommands

Change-Id: Ib1e9444fdd13ed27547df27aa9c2fed19ba59496
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1984894
Tested-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
(cherry picked from commit d982955abbd9a7d85ca48d13f85809576f2efc26)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2003942
---
 common/u2f.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/u2f.c b/common/u2f.c
index 540503db84..bc55496fb6 100644
--- a/common/u2f.c
+++ b/common/u2f.c
@@ -364,8 +364,8 @@ static enum vendor_cmd_rc u2f_attest(enum vendor_cmd_cc code,
 
 	*response_size = 0;
 
-	if (input_size < 2 ||
-	    input_size < (2 + req->dataLen) ||
+	if (input_size < offsetof(U2F_ATTEST_REQ, data) ||
+	    input_size < (offsetof(U2F_ATTEST_REQ, data) + req->dataLen) ||
 	    input_size > sizeof(U2F_ATTEST_REQ) ||
 	    response_buf_size < sizeof(*resp))
 		return VENDOR_RC_BOGUS_ARGS;
-- 
cgit v1.2.1