From 1f96fe619b28d5d72a52b1f55c1b75de8a85ec78 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Wed, 18 Mar 2026 17:42:25 +0100
Subject: [PATCH] Fix bounds on update ef.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 src/hsm/cmd_update_ef.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/hsm/cmd_update_ef.c b/src/hsm/cmd_update_ef.c
index 0508429..978af62 100644
--- a/src/hsm/cmd_update_ef.c
+++ b/src/hsm/cmd_update_ef.c
@@ -84,12 +84,12 @@ int cmd_update_ef(void) {
             if (!file_has_data(ef)) {
                 return SW_DATA_INVALID();
             }
-            if (offset + data_len > file_get_size(ef)) {
+            if (offset + data_len > 4032) {
                 return SW_WRONG_LENGTH();
             }
 
-            uint8_t *data_merge = (uint8_t *) calloc(1, offset + data_len);
-            memcpy(data_merge, file_get_data(ef), offset);
+            uint8_t *data_merge = (uint8_t *) calloc(1, MAX(offset + data_len, file_get_size(ef)));
+            memcpy(data_merge, file_get_data(ef), file_get_size(ef));
             memcpy(data_merge + offset, data, data_len);
             int r = file_put_data(ef, data_merge, offset + data_len);
             free(data_merge);