mount/flipperzero-firmware
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix buffer overflow in mifare classic lib #1374

Browse Source
This commit is contained in:
gornekich 2022-07-05 18:41:19 +03:00 committed by GitHub
parent e147b2ceea
commit ece142a667
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
lib/nfc_protocols/mifare_classic.c
View File

@ -386,11 +386,25 @@ bool mf_classic_read_block(
tx_rx->tx_rx_type = FuriHalNfcTxRxTypeRaw; tx_rx->tx_rx_type = FuriHalNfcTxRxTypeRaw;
if(furi_hal_nfc_tx_rx(tx_rx, 50)) { if(furi_hal_nfc_tx_rx(tx_rx, 50)) {
if(tx_rx->rx_bits == 8 * 18) { if(tx_rx->rx_bits == 8 * (MF_CLASSIC_BLOCK_SIZE + 2)) {
for(uint8_t i = 0; i < 18; i++) { uint8_t block_received[MF_CLASSIC_BLOCK_SIZE + 2];
block->value[i] = crypto1_byte(crypto, 0, 0) ^ tx_rx->rx_data[i]; for(uint8_t i = 0; i < MF_CLASSIC_BLOCK_SIZE + 2; i++) {
block_received[i] = crypto1_byte(crypto, 0, 0) ^ tx_rx->rx_data[i];
}
uint16_t crc_calc = nfca_get_crc16(block_received, MF_CLASSIC_BLOCK_SIZE);
uint16_t crc_received = (block_received[MF_CLASSIC_BLOCK_SIZE + 1] << 8) |
block_received[MF_CLASSIC_BLOCK_SIZE];
if(crc_received != crc_calc) {
FURI_LOG_E(
TAG,
"Incorrect CRC while reading block %d. Expected %04X, Received %04X",
block_num,
crc_received,
crc_calc);
} else {
memcpy(block->value, block_received, MF_CLASSIC_BLOCK_SIZE);
read_block_success = true;
} }
read_block_success = true;
} }
} }
return read_block_success; return read_block_success;