From 163e936231032d6389158788fe62483e30bdfcb9 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Sun, 18 Aug 2024 23:59:52 +0200
Subject: [PATCH] Fix potential bug in CBOR encoding.

It happen if a keepalive packet is sent in the middle of an encoding.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 src/fido/cbor_client_pin.c      | 4 ++--
 src/fido/cbor_config.c          | 4 ++--
 src/fido/cbor_cred_mgmt.c       | 4 ++--
 src/fido/cbor_get_assertion.c   | 4 ++--
 src/fido/cbor_get_info.c        | 2 +-
 src/fido/cbor_large_blobs.c     | 2 +-
 src/fido/cbor_make_credential.c | 4 ++--
 src/fido/cbor_vendor.c          | 4 ++--
 8 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/src/fido/cbor_client_pin.c b/src/fido/cbor_client_pin.c
index 2d324da..4c8a3a9 100644
--- a/src/fido/cbor_client_pin.c
+++ b/src/fido/cbor_client_pin.c
@@ -336,7 +336,7 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
     }
     CBOR_PARSE_MAP_END(map, 1);
 
-    cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_PACKET_SIZE, 0);
+    cbor_encoder_init(&encoder, res_APDU + 1, CTAP_MAX_PACKET_SIZE, 0);
     if (subcommand == 0x0) {
         CBOR_ERROR(CTAP2_ERR_MISSING_PARAMETER);
     }
@@ -632,7 +632,7 @@ int cbor_client_pin(const uint8_t *data, size_t len) {
         CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION);
     }
     CBOR_CHECK(cbor_encoder_close_container(&encoder, &mapEncoder));
-    resp_size = cbor_encoder_get_buffer_size(&encoder, ctap_resp->init.data + 1);
+    resp_size = cbor_encoder_get_buffer_size(&encoder, res_APDU + 1);
 err:
     CBOR_FREE_BYTE_STRING(pinUvAuthParam);
     CBOR_FREE_BYTE_STRING(newPinEnc);
diff --git a/src/fido/cbor_config.c b/src/fido/cbor_config.c
index b8cb73f..4886bc0 100644
--- a/src/fido/cbor_config.c
+++ b/src/fido/cbor_config.c
@@ -106,7 +106,7 @@ int cbor_config(const uint8_t *data, size_t len) {
     }
     CBOR_PARSE_MAP_END(map, 1);
 
-    cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_PACKET_SIZE, 0);
+    cbor_encoder_init(&encoder, res_APDU + 1, CTAP_MAX_PACKET_SIZE, 0);
 
     if (pinUvAuthParam.present == false) {
         CBOR_ERROR(CTAP2_ERR_PUAT_REQUIRED);
@@ -228,7 +228,7 @@ int cbor_config(const uint8_t *data, size_t len) {
         CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION);
     }
     CBOR_CHECK(cbor_encoder_close_container(&encoder, &mapEncoder));
-    resp_size = cbor_encoder_get_buffer_size(&encoder, ctap_resp->init.data + 1);
+    resp_size = cbor_encoder_get_buffer_size(&encoder, res_APDU + 1);
 
 err:
     CBOR_FREE_BYTE_STRING(pinUvAuthParam);
diff --git a/src/fido/cbor_cred_mgmt.c b/src/fido/cbor_cred_mgmt.c
index f5b9fdd..16416dc 100644
--- a/src/fido/cbor_cred_mgmt.c
+++ b/src/fido/cbor_cred_mgmt.c
@@ -120,7 +120,7 @@ int cbor_cred_mgmt(const uint8_t *data, size_t len) {
         }
     }
 
-    cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_PACKET_SIZE, 0);
+    cbor_encoder_init(&encoder, res_APDU + 1, CTAP_MAX_PACKET_SIZE, 0);
     if (subcommand == 0x01) {
         if (verify(pinUvAuthProtocol, paut.data, (const uint8_t *) "\x01", 1,
                    pinUvAuthParam.data) != CborNoError) {
@@ -442,7 +442,7 @@ int cbor_cred_mgmt(const uint8_t *data, size_t len) {
         CBOR_ERROR(CTAP2_ERR_NO_CREDENTIALS);
     }
     CBOR_CHECK(cbor_encoder_close_container(&encoder, &mapEncoder));
-    resp_size = cbor_encoder_get_buffer_size(&encoder, ctap_resp->init.data + 1);
+    resp_size = cbor_encoder_get_buffer_size(&encoder, res_APDU + 1);
 err:
     CBOR_FREE_BYTE_STRING(pinUvAuthParam);
 
diff --git a/src/fido/cbor_get_assertion.c b/src/fido/cbor_get_assertion.c
index aa22e3b..b1c8728 100644
--- a/src/fido/cbor_get_assertion.c
+++ b/src/fido/cbor_get_assertion.c
@@ -585,7 +585,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
     if (extensions.largeBlobKey == ptrue && selcred->extensions.largeBlobKey == ptrue) {
         lfields++;
     }
-    cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_PACKET_SIZE, 0);
+    cbor_encoder_init(&encoder, res_APDU + 1, CTAP_MAX_PACKET_SIZE, 0);
     CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, lfields));
 
     CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01));
@@ -638,7 +638,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
     }
     mbedtls_platform_zeroize(largeBlobKey, sizeof(largeBlobKey));
     CBOR_CHECK(cbor_encoder_close_container(&encoder, &mapEncoder));
-    resp_size = cbor_encoder_get_buffer_size(&encoder, ctap_resp->init.data + 1);
+    resp_size = cbor_encoder_get_buffer_size(&encoder, res_APDU + 1);
     ctr++;
     file_put_data(ef_counter, (uint8_t *) &ctr, sizeof(ctr));
     low_flash_available();
diff --git a/src/fido/cbor_get_info.c b/src/fido/cbor_get_info.c
index 0864725..38cbf8d 100644
--- a/src/fido/cbor_get_info.c
+++ b/src/fido/cbor_get_info.c
@@ -26,7 +26,7 @@
 int cbor_get_info() {
     CborEncoder encoder, mapEncoder, arrayEncoder, mapEncoder2;
     CborError error = CborNoError;
-    cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_PACKET_SIZE, 0);
+    cbor_encoder_init(&encoder, res_APDU + 1, CTAP_MAX_PACKET_SIZE, 0);
     CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder, 15));
 
     CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x01));
diff --git a/src/fido/cbor_large_blobs.c b/src/fido/cbor_large_blobs.c
index 432464d..9f65e37 100644
--- a/src/fido/cbor_large_blobs.c
+++ b/src/fido/cbor_large_blobs.c
@@ -79,7 +79,7 @@ int cbor_large_blobs(const uint8_t *data, size_t len) {
         CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
     }
 
-    cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_PACKET_SIZE, 0);
+    cbor_encoder_init(&encoder, res_APDU + 1, CTAP_MAX_PACKET_SIZE, 0);
     if (get > 0) {
         if (length != 0) {
             CBOR_ERROR(CTAP1_ERR_INVALID_PARAMETER);
diff --git a/src/fido/cbor_make_credential.c b/src/fido/cbor_make_credential.c
index 33ccc98..176843b 100644
--- a/src/fido/cbor_make_credential.c
+++ b/src/fido/cbor_make_credential.c
@@ -468,7 +468,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
         }
     }
 
-    cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_PACKET_SIZE, 0);
+    cbor_encoder_init(&encoder, res_APDU + 1, CTAP_MAX_PACKET_SIZE, 0);
     CBOR_CHECK(cbor_encoder_create_map(&encoder, &mapEncoder,
                                        extensions.largeBlobKey == ptrue &&
                                        options.rk == ptrue ? 5 : 4));
@@ -512,7 +512,7 @@ int cbor_make_credential(const uint8_t *data, size_t len) {
     }
     mbedtls_platform_zeroize(largeBlobKey, sizeof(largeBlobKey));
     CBOR_CHECK(cbor_encoder_close_container(&encoder, &mapEncoder));
-    resp_size = cbor_encoder_get_buffer_size(&encoder, ctap_resp->init.data + 1);
+    resp_size = cbor_encoder_get_buffer_size(&encoder, res_APDU + 1);
 
     if (options.rk == ptrue) {
         if (credential_store(cred_id, cred_id_len, rp_id_hash) != 0) {
diff --git a/src/fido/cbor_vendor.c b/src/fido/cbor_vendor.c
index 3b78c01..01b0bdb 100644
--- a/src/fido/cbor_vendor.c
+++ b/src/fido/cbor_vendor.c
@@ -101,7 +101,7 @@ int cbor_vendor_generic(uint8_t cmd, const uint8_t *data, size_t len) {
     }
     CBOR_PARSE_MAP_END(map, 1);
 
-    cbor_encoder_init(&encoder, ctap_resp->init.data + 1, CTAP_MAX_PACKET_SIZE, 0);
+    cbor_encoder_init(&encoder, res_APDU + 1, CTAP_MAX_PACKET_SIZE, 0);
 
     if (cmd == CTAP_VENDOR_BACKUP) {
         if (vendorCmd == 0x01) {
@@ -300,7 +300,7 @@ int cbor_vendor_generic(uint8_t cmd, const uint8_t *data, size_t len) {
         CBOR_ERROR(CTAP2_ERR_UNSUPPORTED_OPTION);
     }
     CBOR_CHECK(cbor_encoder_close_container(&encoder, &mapEncoder));
-    resp_size = cbor_encoder_get_buffer_size(&encoder, ctap_resp->init.data + 1);
+    resp_size = cbor_encoder_get_buffer_size(&encoder, res_APDU + 1);
 
 err:
     CBOR_FREE_BYTE_STRING(pinUvAuthParam);