From 1ced9f6267d87d2ec9a6cdfb6d5d919385ec1d61 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Wed, 18 Mar 2026 16:04:20 +0100
Subject: [PATCH] Check bounds on update ef.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 src/hsm/cmd_update_ef.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/hsm/cmd_update_ef.c b/src/hsm/cmd_update_ef.c
index 957f8ed..0508429 100644
--- a/src/hsm/cmd_update_ef.c
+++ b/src/hsm/cmd_update_ef.c
@@ -84,6 +84,9 @@ int cmd_update_ef(void) {
             if (!file_has_data(ef)) {
                 return SW_DATA_INVALID();
             }
+            if (offset + data_len > file_get_size(ef)) {
+                return SW_WRONG_LENGTH();
+            }
 
             uint8_t *data_merge = (uint8_t *) calloc(1, offset + data_len);
             memcpy(data_merge, file_get_data(ef), offset);