Skip to content

Commit

Permalink
fix(legacy): Stricter protobuf field handling in Stellar.
Browse files Browse the repository at this point in the history
  • Loading branch information
@andrewkozlik @tsusanka
andrewkozlik authored and tsusanka committed Aug 24, 2021
1 parent 1749856 commit dd65780
Show file tree
Hide file tree
Showing 2 changed files with 90 additions and 91 deletions.
1 change: 1 addition & 0 deletions legacy/firmware/.changelog.d/noissue.security.2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Stricter protobuf field handling in Stellar.
180 changes: 89 additions & 91 deletions legacy/firmware/stellar.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,10 +105,9 @@ bool stellar_signingInit(const StellarSignTx *msg) {
// non-zero
uint8_t has_timebounds =
(msg->timebounds_start > 0 || msg->timebounds_end > 0);
// Hash: the "has timebounds?" boolean
stellar_hashupdate_bool(has_timebounds);
if (has_timebounds) {
// Hash: the "has timebounds?" boolean
stellar_hashupdate_bool(true);

// Timebounds are sent as uint32s since that's all we can display, but they
// must be hashed as 64-bit values
stellar_hashupdate_uint32(0);
Expand All @@ -117,10 +116,6 @@ bool stellar_signingInit(const StellarSignTx *msg) {
stellar_hashupdate_uint32(0);
stellar_hashupdate_uint32(msg->timebounds_end);
}
// No timebounds, hash a false boolean
else {
stellar_hashupdate_bool(false);
}

// Hash: memo
stellar_hashupdate_uint32(msg->memo_type);
Expand All @@ -140,10 +135,12 @@ bool stellar_signingInit(const StellarSignTx *msg) {
// Hash and return are the same data structure (32 byte tx hash)
case 3:
case 4:
stellar_hashupdate_bytes(msg->memo_hash.bytes, msg->memo_hash.size);
stellar_hashupdate_bytes(msg->memo_hash.bytes, 32);
break;
default:
break;
fsm_sendFailure(FailureType_Failure_DataError,
_("Stellar invalid memo type"));
return false;
}

// Hash: number of operations
Expand Down Expand Up @@ -707,6 +704,7 @@ bool stellar_confirmSetOptionsOp(const StellarSetOptionsOp *msg) {
// Hash low threshold
stellar_hashupdate_uint32(msg->low_threshold);
}

stellar_hashupdate_bool(msg->has_medium_threshold);
if (msg->has_medium_threshold) {
char str_med_threshold[10 + 1] = {0};
Expand All @@ -720,6 +718,7 @@ bool stellar_confirmSetOptionsOp(const StellarSetOptionsOp *msg) {
// Hash medium threshold
stellar_hashupdate_uint32(msg->medium_threshold);
}

stellar_hashupdate_bool(msg->has_high_threshold);
if (msg->has_high_threshold) {
char str_high_threshold[10 + 1] = {0};
Expand Down Expand Up @@ -789,45 +788,42 @@ bool stellar_confirmSetOptionsOp(const StellarSetOptionsOp *msg) {
strlcat(str_weight_row, str_weight, sizeof(str_weight_row));

// 0 = account, 1 = pre-auth, 2 = hash(x)
char str_signer_type[16] = {0};
char *str_signer_type = NULL;
bool needs_hash_confirm = false;
if (msg->signer_type == 0) {
strlcpy(str_signer_type, _("account"), sizeof(str_signer_type));
strlcat(str_title, str_signer_type, sizeof(str_title));

const char **str_addr_rows =
stellar_lineBreakAddress(msg->signer_key.bytes);
stellar_layoutTransactionDialog(str_title, str_weight_row,
str_addr_rows[0], str_addr_rows[1],
str_addr_rows[2]);
if (!protectButton(ButtonRequestType_ButtonRequest_ProtectCall, false)) {
stellar_signingAbort(_("User canceled"));
return false;
}
}
if (msg->signer_type == 1) {
needs_hash_confirm = true;
strlcpy(str_signer_type, _("pre-auth hash"), sizeof(str_signer_type));
strlcat(str_title, str_signer_type, sizeof(str_title));

stellar_layoutTransactionDialog(str_title, str_weight_row, NULL,
_("(confirm hash on next"), _("screen)"));
if (!protectButton(ButtonRequestType_ButtonRequest_ProtectCall, false)) {
stellar_signingAbort(_("User canceled"));
switch (msg->signer_type) {
case 0:
strlcat(str_title, _("account"), sizeof(str_title));

const char **str_addr_rows =
stellar_lineBreakAddress(msg->signer_key.bytes);
stellar_layoutTransactionDialog(str_title, str_weight_row,
str_addr_rows[0], str_addr_rows[1],
str_addr_rows[2]);
if (!protectButton(ButtonRequestType_ButtonRequest_ProtectCall,
false)) {
stellar_signingAbort(_("User canceled"));
return false;
}
break;
case 1:
case 2:
str_signer_type =
(msg->signer_type == 1) ? _("pre-auth hash") : _("hash(x)");
needs_hash_confirm = true;
strlcat(str_title, str_signer_type, sizeof(str_title));

stellar_layoutTransactionDialog(str_title, str_weight_row, NULL,
_("(confirm hash on next"),
_("screen)"));
if (!protectButton(ButtonRequestType_ButtonRequest_ProtectCall,
false)) {
stellar_signingAbort(_("User canceled"));
return false;
}
break;
default:
stellar_signingAbort(_("Stellar: invalid signer type"));
return false;
}
}
if (msg->signer_type == 2) {
needs_hash_confirm = true;
strlcpy(str_signer_type, _("hash(x)"), sizeof(str_signer_type));
strlcat(str_title, str_signer_type, sizeof(str_title));

stellar_layoutTransactionDialog(str_title, str_weight_row, NULL,
_("(confirm hash on next"), _("screen)"));
if (!protectButton(ButtonRequestType_ButtonRequest_ProtectCall, false)) {
stellar_signingAbort(_("User canceled"));
return false;
}
}

// Extra confirmation step for hash signers
Expand All @@ -850,7 +846,7 @@ bool stellar_confirmSetOptionsOp(const StellarSetOptionsOp *msg) {
// Hash: signer type
stellar_hashupdate_uint32(msg->signer_type);
// key
stellar_hashupdate_bytes(msg->signer_key.bytes, msg->signer_key.size);
stellar_hashupdate_bytes(msg->signer_key.bytes, 32);
// weight
stellar_hashupdate_uint32(msg->signer_weight);
}
Expand Down Expand Up @@ -973,17 +969,21 @@ bool stellar_confirmAllowTrustOp(const StellarAllowTrustOp *msg) {
// asset type
stellar_hashupdate_uint32(msg->asset_type);
// asset code
if (msg->asset_type == 1) {
char code4[4 + 1] = {0};
memzero(code4, sizeof(code4));
strlcpy(code4, msg->asset_code, sizeof(code4));
stellar_hashupdate_bytes((uint8_t *)code4, 4);
}
if (msg->asset_type == 2) {
char code12[12 + 1] = {0};
memzero(code12, sizeof(code12));
strlcpy(code12, msg->asset_code, sizeof(code12));
stellar_hashupdate_bytes((uint8_t *)code12, 12);
char padded_code[12 + 1] = {0};
switch (msg->asset_type) {
case 0: // native asset (XLM)
break;
case 1: // alphanum 4
strlcpy(padded_code, msg->asset_code, 4 + 1);
stellar_hashupdate_bytes((uint8_t *)padded_code, 4);
break;
case 2: // alphanum 12
strlcpy(padded_code, msg->asset_code, 12 + 1);
stellar_hashupdate_bytes((uint8_t *)padded_code, 12);
break;
default:
stellar_signingAbort(_("Stellar: invalid asset type"));
return false;
}
// is authorized
stellar_hashupdate_bool(msg->is_authorized);
Expand Down Expand Up @@ -1086,11 +1086,9 @@ bool stellar_confirmManageDataOp(const StellarManageDataOp *msg) {
stellar_hashupdate_string((unsigned char *)&(msg->key),
strnlen(msg->key, 64));
// value
stellar_hashupdate_bool(msg->has_value);
if (msg->has_value) {
stellar_hashupdate_bool(true);
stellar_hashupdate_string(msg->value.bytes, msg->value.size);
} else {
stellar_hashupdate_bool(false);
}

// At this point, the operation is confirmed
Expand Down Expand Up @@ -1628,36 +1626,36 @@ void stellar_layoutTransactionSummary(const StellarSignTx *msg) {
// Reset lines for displaying memo
memzero(str_lines, sizeof(str_lines));

// Memo: none
if (msg->memo_type == 0) {
strlcpy(str_lines[0], _("[No Memo Set]"), sizeof(str_lines[0]));
strlcpy(str_lines[1], _("Important:"), sizeof(str_lines[0]));
strlcpy(str_lines[2], _("Many exchanges require"), sizeof(str_lines[0]));
strlcpy(str_lines[3], _("a memo when depositing."), sizeof(str_lines[0]));
}
// Memo: text
if (msg->memo_type == 1) {
strlcpy(str_lines[0], _("Memo (TEXT)"), sizeof(str_lines[0]));

// Split 28-character string into two lines of 19 / 9
// todo: word wrap method?
strlcpy(str_lines[1], (const char *)msg->memo_text, 19 + 1);
strlcpy(str_lines[2], (const char *)(msg->memo_text + 19), 9 + 1);
}
// Memo: ID
if (msg->memo_type == 2) {
strlcpy(str_lines[0], _("Memo (ID)"), sizeof(str_lines[0]));
stellar_format_uint64(msg->memo_id, str_lines[1], sizeof(str_lines[1]));
}
// Memo: hash
if (msg->memo_type == 3) {
needs_memo_hash_confirm = 1;
strlcpy(str_lines[0], _("Memo (HASH)"), sizeof(str_lines[0]));
}
// Memo: return
if (msg->memo_type == 4) {
needs_memo_hash_confirm = 1;
strlcpy(str_lines[0], _("Memo (RETURN)"), sizeof(str_lines[0]));
switch (msg->memo_type) {
case 0: // Memo: none
strlcpy(str_lines[0], _("[No Memo Set]"), sizeof(str_lines[0]));
strlcpy(str_lines[1], _("Important:"), sizeof(str_lines[0]));
strlcpy(str_lines[2], _("Many exchanges require"), sizeof(str_lines[0]));
strlcpy(str_lines[3], _("a memo when depositing."), sizeof(str_lines[0]));
break;
case 1: // Memo: text
strlcpy(str_lines[0], _("Memo (TEXT)"), sizeof(str_lines[0]));

// Split 28-character string into two lines of 19 / 9
// todo: word wrap method?
strlcpy(str_lines[1], (const char *)msg->memo_text, 19 + 1);
strlcpy(str_lines[2], (const char *)(msg->memo_text + 19), 9 + 1);
break;
case 2: // Memo: ID
strlcpy(str_lines[0], _("Memo (ID)"), sizeof(str_lines[0]));
stellar_format_uint64(msg->memo_id, str_lines[1], sizeof(str_lines[1]));
break;
case 3: // Memo: hash
needs_memo_hash_confirm = 1;
strlcpy(str_lines[0], _("Memo (HASH)"), sizeof(str_lines[0]));
break;
case 4: // Memo: return
needs_memo_hash_confirm = 1;
strlcpy(str_lines[0], _("Memo (RETURN)"), sizeof(str_lines[0]));
break;
default:
stellar_signingAbort(_("Stellar invalid memo type"));
return;
}

if (needs_memo_hash_confirm) {
Expand Down

0 comments on commit dd65780

Please sign in to comment.