From e764dc7f6b95dabc6738b7c652ae88a392bd9375 Mon Sep 17 00:00:00 2001
From: Kameleon <91192941+KameleonSec@users.noreply.github.com>
Date: Sun, 26 Sep 2021 17:51:09 +0300
Subject: [PATCH] Manifest header wrong comparation between two unsigned values

This is a vulnerability in the manifest_flash.c header parse calculations.
Corrupted manifest header results in DOS or much severe implications that might result with a possible RCE.
E.g. Manifest header with length=0 cause the code to read the whole flash until crash. After updating a manifest with such malformed header, the system could be bricked.

Thus fix the comparation between two unsigned values for detecting a negative value.
---
 core/manifest/manifest_flash.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/manifest/manifest_flash.c b/core/manifest/manifest_flash.c
index 1b2c9d7c..d2d1f898 100644
--- a/core/manifest/manifest_flash.c
+++ b/core/manifest/manifest_flash.c
@@ -143,7 +143,7 @@ int manifest_flash_read_header (struct manifest_flash *manifest, struct manifest
 		return MANIFEST_BAD_MAGIC_NUMBER;
 	}
 
-	if (header->sig_length > (header->length - sizeof (struct manifest_header))) {
+	if ((int)header->sig_length > (int)(header->length - sizeof (struct manifest_header))) {
 		return MANIFEST_BAD_LENGTH;
 	}