SecureStore: Validate internal header size before using its values.

Seppo Takalo · Seppo Takalo · commit 3d3a5583999f · 2019-11-27T18:49:44.000+02:00
diff --git a/features/storage/kvstore/securestore/SecureStore.cpp b/features/storage/kvstore/securestore/SecureStore.cpp
@@ -530,6 +530,7 @@ int SecureStore::do_get(const char *key, void *buffer, size_t buffer_size, size_
     uint8_t *dest_buf;
     bool enc_started = false, auth_started = false;
     uint32_t create_flags;
+    size_t read_len;
 
     if (!is_valid_key(key)) {
         return MBED_ERROR_INVALID_ARGUMENT;
@@ -548,7 +549,7 @@ int SecureStore::do_get(const char *key, void *buffer, size_t buffer_size, size_
         }
     }
 
-    ret = _underlying_kv->get(key, &ih->metadata, sizeof(record_metadata_t));
+    ret = _underlying_kv->get(key, &ih->metadata, sizeof(record_metadata_t), &read_len);
     if (ret) {
         // In case we have the key in the RBP KV, then even if the key wasn't found in
         // the underlying KV, we may have been exposed to an attack. Return an RBP authentication error.
@@ -558,6 +559,12 @@ int SecureStore::do_get(const char *key, void *buffer, size_t buffer_size, size_
         goto end;
     }
 
+    // Validate header size
+    if ((read_len != sizeof(record_metadata_t))  || (ih->metadata.metadata_size != sizeof(record_metadata_t))) {
+        ret = MBED_ERROR_RBP_AUTHENTICATION_FAILED;
+        goto end;
+    }
+
     create_flags = ih->metadata.create_flags;
     if (!_rbp_kv) {
         create_flags &= ~REQUIRE_REPLAY_PROTECTION_FLAG;
