From 1130130e194ed64043301a1c218bdab13cf29d1b Mon Sep 17 00:00:00 2001
From: Charles-Edouard de la Vergne <charles-edouard.delavergne@ledger.fr>
Date: Mon, 16 Dec 2024 18:57:54 +0100
Subject: [PATCH] fix fuzzing findings

---
 src/shared_context.h                          |  2 +-
 .../provideDynamicNetwork/network_dynamic.c   | 25 ++++++++++++++++---
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/src/shared_context.h b/src/shared_context.h
index eaac84fb0..d329d043f 100644
--- a/src/shared_context.h
+++ b/src/shared_context.h
@@ -16,7 +16,7 @@
 #include "nbgl_types.h"
 #endif
 
-extern void app_exit();
+extern void app_exit(void);
 extern void common_app_init(void);
 
 #define SELECTOR_LENGTH 4
diff --git a/src_features/provideDynamicNetwork/network_dynamic.c b/src_features/provideDynamicNetwork/network_dynamic.c
index 3ff7d7c09..45f5474ad 100644
--- a/src_features/provideDynamicNetwork/network_dynamic.c
+++ b/src_features/provideDynamicNetwork/network_dynamic.c
@@ -288,6 +288,7 @@ static uint16_t parse_icon_buffer(void) {
     uint8_t digest[CX_SHA256_SIZE];
     const uint8_t *data = g_network_icon[g_current_slot].bitmap;
     const uint16_t field_len = g_icon_payload.received_size;
+    cx_err_t error = CX_INTERNAL_ERROR;
 
     // Check the icon header
     sw = check_icon_header(data, field_len, &img_len);
@@ -298,7 +299,7 @@ static uint16_t parse_icon_buffer(void) {
     CHECK_FIELD_OVERFLOW("NETWORK_ICON", g_network_icon[g_current_slot].bitmap);
 
     // Check icon hash
-    cx_sha256_hash(data, field_len, digest);
+    CX_CHECK(cx_sha256_hash(data, field_len, digest));
     if (memcmp(digest, g_network_icon[g_current_slot].hash, CX_SHA256_SIZE) != 0) {
         PRINTF("NETWORK_ICON hash mismatch!\n");
         return APDU_RESPONSE_INVALID_DATA;
@@ -313,7 +314,9 @@ static uint16_t parse_icon_buffer(void) {
     DYNAMIC_NETWORK_INFO[g_current_slot].icon.isFile = true;
     COPY_FIELD(DYNAMIC_NETWORK_INFO[g_current_slot].icon.bitmap);
     print_icon_info();
-    return APDU_RESPONSE_OK;
+    error = APDU_RESPONSE_OK;
+end:
+    return error;
 }
 
 /**
@@ -376,6 +379,12 @@ static uint16_t handle_next_icon_chunk(const uint8_t *data, uint8_t length) {
  */
 static uint16_t handle_icon_chunks(uint8_t p1, const uint8_t *data, uint8_t length) {
     uint16_t sw = APDU_RESPONSE_UNKNOWN;
+    uint8_t hash[CX_SHA256_SIZE] = {0};
+
+    if (memcmp(g_network_icon[g_current_slot].hash, hash, CX_SHA256_SIZE) == 0) {
+        PRINTF("Error: Icon hash not set!\n");
+        return APDU_RESPONSE_INVALID_DATA;
+    }
 
     // Check the received chunk index
     if (p1 == P1_FIRST_CHUNK) {
@@ -432,16 +441,24 @@ static bool verify_signature(s_sig_ctx *sig_ctx) {
     CX_CHECK(
         cx_hash_no_throw((cx_hash_t *) &sig_ctx->hash_ctx, CX_LAST, NULL, 0, hash, INT256_LENGTH));
 
+#ifdef HAVE_LEDGER_PKI
     CX_CHECK(check_signature_with_pubkey("Dynamic Network",
                                          hash,
                                          sizeof(hash),
                                          LEDGER_SIGNATURE_PUBLIC_KEY,
                                          sizeof(LEDGER_SIGNATURE_PUBLIC_KEY),
-#ifdef HAVE_LEDGER_PKI
                                          CERTIFICATE_PUBLIC_KEY_USAGE_COIN_META,
-#endif
                                          (uint8_t *) (sig_ctx->sig),
                                          sig_ctx->sig_size));
+#else
+    CX_CHECK(check_signature_with_pubkey("Dynamic Network",
+                                         hash,
+                                         sizeof(hash),
+                                         LEDGER_SIGNATURE_PUBLIC_KEY,
+                                         sizeof(LEDGER_SIGNATURE_PUBLIC_KEY),
+                                         (uint8_t *) (sig_ctx->sig),
+                                         sig_ctx->sig_size));
+#endif
 
     ret_code = true;
 end: