diff --git a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp index 6524fafa80f836..61172baefb9075 100644 --- a/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp +++ b/src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp @@ -42,6 +42,9 @@ namespace Credentials { namespace { +// As per specifications section 11.22.5.1. Constant RESP_MAX +constexpr size_t kMaxResponseLength = 900; + static const ByteSpan kTestPaaRoots[] = { TestCerts::sTestCert_PAA_FFF1_Cert, TestCerts::sTestCert_PAA_NoVID_Cert, @@ -184,6 +187,9 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer !info.attestationNonceBuffer.empty() && onCompletion != nullptr, attestationError = AttestationVerificationResult::kInvalidArgument); + VerifyOrExit(info.attestationElementsBuffer.size() <= kMaxResponseLength, + attestationError = AttestationVerificationResult::kInvalidArgument); + // match DAC and PAI VIDs { VerifyOrExit(ExtractVIDPIDFromX509Cert(info.dacDerBuffer, dacVidPid) == CHIP_NO_ERROR, @@ -410,6 +416,7 @@ CHIP_ERROR DefaultDACVerifier::VerifyNodeOperationalCSRInformation(const ByteSpa !attestationSignatureBuffer.empty() && !csrNonce.empty(), CHIP_ERROR_INVALID_ARGUMENT); + VerifyOrReturnError(nocsrElementsBuffer.size() <= kMaxResponseLength, CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(csrNonce.size() == Controller::kCSRNonceLength, CHIP_ERROR_INVALID_ARGUMENT); ByteSpan csrSpan; @@ -420,6 +427,8 @@ CHIP_ERROR DefaultDACVerifier::VerifyNodeOperationalCSRInformation(const ByteSpa ReturnErrorOnFailure(DeconstructNOCSRElements(nocsrElementsBuffer, csrSpan, csrNonceSpan, vendorReserved1Span, vendorReserved2Span, vendorReserved3Span)); + VerifyOrReturnError(csrNonceSpan.size() == Controller::kCSRNonceLength, CHIP_ERROR_INVALID_ARGUMENT); + // Verify that Nonce matches with what we sent VerifyOrReturnError(csrNonceSpan.data_equal(csrNonce), CHIP_ERROR_INVALID_ARGUMENT);