Fix not checking hashed data size

R=wfrichar@chromium.org,gauravsh@chromium.org
BUG=chrome-os-partner:2909
TEST=make && make runtests

Review URL: http://codereview.chromium.org/6748009

Change-Id: I3251aa6e6dd62ff4351fdf33ca9182b19a29cbbf

1 files changed, 7 insertions, 0 deletions

diff --git a/firmware/lib/vboot_common.c b/firmware/lib/vboot_common.c
index 28d016ea..ce01e961 100644
--- a/firmware/lib/vboot_common.c
+++ b/firmware/lib/vboot_common.c
@@ -216,6 +216,12 @@ int KeyBlockVerify(const VbKeyBlockHeader* block, uint64_t size,
       return VBOOT_KEY_BLOCK_INVALID;
     }
 
+    /* Make sure advertised signature data sizes are sane. */
+    if (block->key_block_size < sig->data_size) {
+      VBDEBUG(("Signature calculated past end of the block\n"));
+      return VBOOT_KEY_BLOCK_INVALID;
+    }
+
     VBDEBUG(("Checking key block hash only...\n"));
     header_checksum = DigestBuf((const uint8_t*)block, sig->data_size,
                                 SHA512_DIGEST_ALGORITHM);
@@ -249,6 +255,7 @@ int KeyBlockVerify(const VbKeyBlockHeader* block, uint64_t size,
       VBDEBUG(("Signature calculated past end of the block\n"));
       return VBOOT_KEY_BLOCK_INVALID;
     }
+
     VBDEBUG(("Checking key block signature...\n"));
     rv = VerifyData((const uint8_t*)block, size, sig, rsa);
     RSAPublicKeyFree(rsa);