[api/core/service] Verify frame overflow at frame transfer layer

TofMassilia13320 · TofMassilia13320 · commit 637af702d223 · 2026-02-11T16:09:45.000+01:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -10,6 +10,7 @@ repos:
     rev: v5.0.0
     hooks:
       - id: trailing-whitespace
+        exclude: doc
       - id: end-of-file-fixer
       - id: mixed-line-ending
         args: [--fix=lf]
diff --git a/api/stse_device_management.c b/api/stse_device_management.c
@@ -149,8 +149,7 @@ stse_ReturnCode_t stse_device_power_on(stse_Handler_t *pSTSE) {
     pSTSE->io.PowerLineOn(pSTSE->io.busID, pSTSE->io.Devaddr);
 
     /* - Wait for device to boot (tboot) */
-		switch (pSTSE->device_type)
-    {
+    switch (pSTSE->device_type) {
 #ifdef STSE_CONF_STSAFE_A_SUPPORT
     case STSAFE_A100:
     case STSAFE_A110:
diff --git a/api/stse_hash.c b/api/stse_hash.c
@@ -16,6 +16,7 @@
  *****************************************************************************/
 
 #include "api/stse_hash.h"
+#include "services/stsafea/stsafea_frame_transfer.h"
 #include "services/stsafea/stsafea_hash.h"
 
 #if defined(STSE_CONF_HASH_SHA_1) || defined(STSE_CONF_HASH_SHA_224) ||                                      \
diff --git a/core/stse_platform.h b/core/stse_platform.h
@@ -167,6 +167,7 @@ stse_ReturnCode_t stse_platform_ecc_generate_key_pair(stse_ecc_key_type_t key_ty
  * \param[in]  digestLen Length of the digest
  * \param[out] pSignature Pointer to the signature buffer
  * \return     \ref STSE_OK on success; \ref stse_ReturnCode_t error code otherwise
+ * \warning Few specific cryptographic library required to have public key concatenated to private key for EdDSA mechanism. In such case, pPrivKey pointer shall reference concatenated key pair buffer's address.
  */
 stse_ReturnCode_t stse_platform_ecc_sign(stse_ecc_key_type_t key_type,
                                          PLAT_UI8 *pPrivKey,
diff --git a/core/stse_return_codes.h b/core/stse_return_codes.h
@@ -101,7 +101,7 @@ enum stse_ReturnCode_t {
     STSE_SERVICE_INVALID_PARAMETER = 0x0301, /*!< STSE Wrong function parameters */
     STSE_SERVICE_HANDLER_NOT_INITIALISED,    /*!< STSE is not initialized please run stsafe_init function first */
     STSE_SERVICE_SESSION_ERROR,
-    STSE_SERVICE_BUFFER_OVERFLOW,
+    STSE_SERVICE_FRAME_SIZE_ERROR,
     STSE_SERVICE_INVALID_CONFIGURATION,
 
     /* - STSE API layer response code (MSB Mask 0x04xx)*/
diff --git a/services/stsafea/stsafea_commands.c b/services/stsafea/stsafea_commands.c
@@ -23,13 +23,6 @@
 
 #ifdef STSE_CONF_STSAFE_A_SUPPORT
 
-const PLAT_UI16 stsafea_maximum_frame_length[STSAFEA_PRODUCT_COUNT] = {
-    STSAFEA_MAX_FRAME_LENGTH_A100,
-    STSAFEA_MAX_FRAME_LENGTH_A110,
-    STSAFEA_MAX_FRAME_LENGTH_A120,
-    STSAFEA_MAX_FRAME_LENGTH_A200,
-};
-
 stse_ReturnCode_t stsafea_get_command_count(stse_Handler_t *pSTSE, PLAT_UI8 *pCommand_count) {
     PLAT_UI8 cmd_header = STSAFEA_CMD_QUERY;
     PLAT_UI8 tag = STSAFEA_SUBJECT_TAG_COMMAND_AUTHORIZATION_CONFIG;
diff --git a/services/stsafea/stsafea_commands.h b/services/stsafea/stsafea_commands.h
@@ -38,8 +38,6 @@
 #define STSAFEA_TRUE 0b1
 #define STSAFEA_FALSE 0b0
 
-#define STSAFEA_PRODUCT_COUNT 4U
-
 #define STSAFEA_EXT_HEADER_SIZE 2U
 #define STSAFEA_HEADER_SIZE 1U
 #define STSAFEA_CMD_EXTENSION_SIZE 1U
@@ -132,8 +130,6 @@ typedef enum stsafea_extended_cmd_code_t {
     STSAFEA_EXTENDED_CMD_DECOMPRESS_PUBLIC_KEY          /*!< STSAFE-A Decompress command code */
 } stsafea_extended_cmd_code_t;
 
-extern const PLAT_UI16 stsafea_maximum_frame_length[STSAFEA_PRODUCT_COUNT];
-
 stse_ReturnCode_t stsafea_get_command_count(stse_Handler_t *pSTSE, PLAT_UI8 *pCommand_count);
 
 /**
diff --git a/services/stsafea/stsafea_data_partition.c b/services/stsafea/stsafea_data_partition.c
@@ -170,7 +170,7 @@ stse_ReturnCode_t stsafea_decrement_counter_zone(stse_Handler_t *pSTSE,
     stse_frame_element_allocate_push(&CmdFrame, eData, data_length, pData);
 
     if (data_length >= stsafea_maximum_frame_length[pSTSE->device_type]) {
-        return STSE_SERVICE_BUFFER_OVERFLOW;
+        return STSE_SERVICE_FRAME_SIZE_ERROR;
     }
 
     /*- Create Rsp frame and populate elements*/
@@ -239,7 +239,7 @@ stse_ReturnCode_t stsafea_read_counter_zone(stse_Handler_t *pSTSE,
     stse_frame_element_allocate_push(&CmdFrame, eLength, STSAFEA_ZONE_ACCESS_LENGTH_SIZE, (PLAT_UI8 *)&Associated_data_length);
 
     if (Associated_data_length >= stsafea_maximum_frame_length[pSTSE->device_type]) {
-        return STSE_SERVICE_BUFFER_OVERFLOW;
+        return STSE_SERVICE_FRAME_SIZE_ERROR;
     }
 
     /*- Create Rsp frame and populate elements*/
@@ -308,7 +308,7 @@ stse_ReturnCode_t stsafea_read_data_zone(stse_Handler_t *pSTSE,
     stse_frame_element_allocate_push(&CmdFrame, eLength, STSAFEA_ZONE_ACCESS_LENGTH_SIZE, (PLAT_UI8 *)&read_length);
 
     if (read_length >= stsafea_maximum_frame_length[pSTSE->device_type]) {
-        return STSE_SERVICE_BUFFER_OVERFLOW;
+        return STSE_SERVICE_FRAME_SIZE_ERROR;
     }
 
     /*- Create Rsp frame and populate elements*/
@@ -376,7 +376,7 @@ stse_ReturnCode_t stsafea_update_data_zone(stse_Handler_t *pSTSE,
     stse_frame_element_allocate_push(&CmdFrame, eData, data_length, pData);
 
     if (data_length >= stsafea_maximum_frame_length[pSTSE->device_type]) {
-        return STSE_SERVICE_BUFFER_OVERFLOW;
+        return STSE_SERVICE_FRAME_SIZE_ERROR;
     }
 
     /*- Create Rsp frame and populate elements*/
diff --git a/services/stsafea/stsafea_frame_transfer.c b/services/stsafea/stsafea_frame_transfer.c
@@ -23,6 +23,13 @@
 
 #ifdef STSE_CONF_STSAFE_A_SUPPORT
 
+const PLAT_UI16 stsafea_maximum_frame_length[STSAFEA_PRODUCT_COUNT] = {
+    STSAFEA_MAX_FRAME_LENGTH_A100,
+    STSAFEA_MAX_FRAME_LENGTH_A110,
+    STSAFEA_MAX_FRAME_LENGTH_A120,
+    STSAFEA_MAX_FRAME_LENGTH_A200,
+};
+
 stse_ReturnCode_t stsafea_frame_transmit(stse_Handler_t *pSTSE, stse_frame_t *pFrame) {
     stse_ReturnCode_t ret = STSE_PLATFORM_BUS_ACK_ERROR;
     PLAT_UI16 retry_count = STSE_MAX_POLLING_RETRY;
@@ -32,11 +39,15 @@ stse_ReturnCode_t stsafea_frame_transmit(stse_Handler_t *pSTSE, stse_frame_t *pF
 
     /*- Verify Parameters */
     if ((pSTSE == NULL) || (pFrame == NULL)) {
-        return STSE_CORE_INVALID_PARAMETER;
+        return STSE_SERVICE_INVALID_PARAMETER;
     }
     /*- Verify Frame length */
     if (pFrame->element_count == 0) {
-        return STSE_CORE_INVALID_PARAMETER;
+        return STSE_SERVICE_INVALID_PARAMETER;
+    }
+    /*- Verify Frame overflow */
+    if (pFrame->length > stsafea_maximum_frame_length[pSTSE->device_type - STSAFE_A100]) {
+        return STSE_SERVICE_FRAME_SIZE_ERROR;
     }
     /*- Compute frame crc */
     ret = stse_frame_crc16_compute(pFrame, &crc_ret);
@@ -162,6 +173,11 @@ stse_ReturnCode_t stsafea_frame_receive(stse_Handler_t *pSTSE, stse_frame_t *pFr
     /* - Store response Length */
     received_length = ((length_value[0] << 8) + length_value[1]) - STSE_FRAME_CRC_SIZE + STSE_RSP_FRAME_HEADER_SIZE;
 
+    /*- Verify Frame overflow */
+    if (received_length > stsafea_maximum_frame_length[pSTSE->device_type - STSAFE_A100]) {
+        return STSE_SERVICE_FRAME_SIZE_ERROR;
+    }
+
     if ((received_header & STSE_STSAFEA_RSP_STATUS_MASK) != STSE_OK) {
         while (pFrame->element_count > 1) {
             stse_frame_pop_element(pFrame);
diff --git a/services/stsafea/stsafea_frame_transfer.h b/services/stsafea/stsafea_frame_transfer.h
@@ -29,6 +29,10 @@
 #include "core/stse_return_codes.h"
 #include "core/stse_util.h"
 
+#define STSAFEA_PRODUCT_COUNT 4U
+
+extern const PLAT_UI16 stsafea_maximum_frame_length[STSAFEA_PRODUCT_COUNT];
+
 /**
  * \brief 			Transmit frame from target STSAFE-Axxx
  * \details 		This core function prepare frame CRC and send frame to target STSAFE-Axxx device
diff --git a/services/stsafea/stsafea_hash.h b/services/stsafea/stsafea_hash.h
@@ -24,7 +24,6 @@
 #include "core/stse_platform.h"
 #include "core/stse_return_codes.h"
 #include "core/stse_util.h"
-#include "services/stsafea/stsafea_commands.h"
 #include "services/stsafea/stsafea_timings.h"
 
 /*! \defgroup stsafea_hash STSAFE-A Hash
diff --git a/services/stsafea/stsafea_timings.h b/services/stsafea/stsafea_timings.h
@@ -26,6 +26,7 @@ extern "C" {
 #include "core/stse_platform.h"
 #include "core/stse_return_codes.h"
 #include "services/stsafea/stsafea_commands.h"
+#include "services/stsafea/stsafea_frame_transfer.h"
 
 #define STSAFEA_EXEC_TIME_DEFAULT 500U /*!< STSAFE default command processing time (used when specific time == 0) */
 
diff --git a/services/stsafel/stsafel_commands.c b/services/stsafel/stsafel_commands.c
@@ -19,8 +19,4 @@
 
 #ifdef STSE_CONF_STSAFE_L_SUPPORT
 
-const PLAT_UI16 stsafel_maximum_frame_length[STSAFEL_PRODUCT_COUNT] = {
-    STSAFEL_MAX_FRAME_LENGTH_L010, /*!< STSAFE-L Maximum command length (bytes) */
-};
-
 #endif /* STSE_CONF_STSAFE_L_SUPPORT */
diff --git a/services/stsafel/stsafel_commands.h b/services/stsafel/stsafel_commands.h
@@ -35,7 +35,6 @@
 #include "core/stse_return_codes.h"
 #include "core/stse_util.h"
 
-#define STSAFEL_PRODUCT_COUNT 1U
 #define STSAFEL_MAX_CMD_COUNT 12U
 
 #define STSAFEL_HEADER_SIZE 1U
@@ -61,8 +60,6 @@ typedef enum stsafel_cmd_code_t {
     STSAFEL_CMD_REPEAT = 0x3EU,             /*!< STSAFE-L010 "Repeat" command code */
 } stsafel_cmd_code_t;
 
-extern const PLAT_UI16 stsafel_maximum_frame_length[STSAFEL_PRODUCT_COUNT];
-
 /** \}*/
 /** \}*/
 #endif /*STSAFEL_COMMANDS_H*/
diff --git a/services/stsafel/stsafel_data_partition.h b/services/stsafel/stsafel_data_partition.h
@@ -24,8 +24,8 @@
 #include "core/stse_platform.h"
 #include "core/stse_return_codes.h"
 #include "core/stse_util.h"
-#include "stse_platform_generic.h"
 #include "services/stsafel/stsafel_timings.h"
+#include "stse_platform_generic.h"
 
 /*! \defgroup stsafel_data_partition STSAFE-L Data partition
  *  \ingroup stsafel_services
diff --git a/services/stsafel/stsafel_echo.h b/services/stsafel/stsafel_echo.h
@@ -24,8 +24,8 @@
 #include "core/stse_platform.h"
 #include "core/stse_return_codes.h"
 #include "core/stse_util.h"
-#include "stse_platform_generic.h"
 #include "services/stsafel/stsafel_timings.h"
+#include "stse_platform_generic.h"
 
 /*! \defgroup stsafel_echo STSAFE-L Echo
  *  \ingroup stsafel_services
diff --git a/services/stsafel/stsafel_frame_transfer.c b/services/stsafel/stsafel_frame_transfer.c
@@ -21,6 +21,10 @@
 
 #ifdef STSE_CONF_STSAFE_L_SUPPORT
 
+const PLAT_UI16 stsafel_maximum_frame_length[STSAFEL_PRODUCT_COUNT] = {
+    STSAFEL_MAX_FRAME_LENGTH_L010, /*!< STSAFE-L Maximum command length (bytes) */
+};
+
 stse_ReturnCode_t stsafel_frame_transmit(stse_Handler_t *pSTSE, stse_frame_t *pFrame) {
     stse_ReturnCode_t ret = STSE_PLATFORM_BUS_ACK_ERROR;
     PLAT_UI16 retry_count = STSE_MAX_POLLING_RETRY;
@@ -30,11 +34,15 @@ stse_ReturnCode_t stsafel_frame_transmit(stse_Handler_t *pSTSE, stse_frame_t *pF
 
     /*- Verify Parameters */
     if ((pSTSE == NULL) || (pFrame == NULL)) {
-        return STSE_CORE_INVALID_PARAMETER;
+        return STSE_SERVICE_INVALID_PARAMETER;
     }
     /*- Verify Frame length */
     if (pFrame->element_count == 0) {
-        return STSE_CORE_INVALID_PARAMETER;
+        return STSE_SERVICE_INVALID_PARAMETER;
+    }
+    /*- Verify Frame overflow */
+    if (pFrame->length > stsafel_maximum_frame_length[pSTSE->device_type - STSAFE_L010]) {
+        return STSE_SERVICE_FRAME_SIZE_ERROR;
     }
     /*- Compute frame crc */
     ret = stse_frame_crc16_compute(pFrame, &crc_ret);
@@ -153,6 +161,11 @@ stse_ReturnCode_t stsafel_i2c_frame_receive(stse_Handler_t *pSTSE, stse_frame_t
     /* - Store response Length */
     received_length = ((length_value[0] << 8) + length_value[1]) - STSE_FRAME_CRC_SIZE;
 
+    /*- Verify Frame overflow */
+    if (pFrame->length > stsafel_maximum_frame_length[pSTSE->device_type - STSAFE_L010]) {
+        return STSE_SERVICE_FRAME_SIZE_ERROR;
+    }
+
     /* ======================================================= */
     /* ====== Format the frame to handle CRC and filler ====== */
 
diff --git a/services/stsafel/stsafel_frame_transfer.h b/services/stsafel/stsafel_frame_transfer.h
@@ -21,14 +21,18 @@
  *  @{
  */
 
-#ifndef STSAFEL_FRAME_H
-#define STSAFEL_FRAME_H
+#ifndef STSAFEL_FRAME_TRANSFER_H
+#define STSAFEL_FRAME_TRANSFER_H
 
 #include "core/stse_device.h"
 #include "core/stse_platform.h"
 #include "core/stse_return_codes.h"
 #include "core/stse_util.h"
 
+#define STSAFEL_PRODUCT_COUNT 1U
+
+extern const PLAT_UI16 stsafel_maximum_frame_length[STSAFEL_PRODUCT_COUNT];
+
 /**
  * \brief 			Transmit frame from target STSAFE-Lxxx
  * \details 		This core function prepare frame CRC and send frame to target STSAFE-Axxx device
@@ -77,4 +81,4 @@ stse_ReturnCode_t stsafel_frame_transfer(stse_Handler_t *pSTSE,
                                          stse_frame_t *pRspFrame);
 
 /*! @}*/
-#endif /* STSAFEL_FRAME_H */
+#endif /* STSAFEL_FRAME_TRANSFER_H */
diff --git a/services/stsafel/stsafel_timings.h b/services/stsafel/stsafel_timings.h
@@ -26,6 +26,7 @@ extern "C" {
 #include "core/stse_platform.h"
 #include "core/stse_return_codes.h"
 #include "services/stsafel/stsafel_commands.h"
+#include "services/stsafel/stsafel_frame_transfer.h"
 
 #define STSAFEL_EXEC_TIME_DEFAULT 500U /*!< STSAFE-L default command processing time (used when specific time == 0) */
 
