Fix buffer overflow in mifare classic lib #1374

2022-07-05 18:41:19 +03:00 · 2022-07-05 18:41:19 +03:00 · ece142a667
commit ece142a667
parent e147b2ceea
1 changed files with 18 additions and 4 deletions
--- a/lib/nfc_protocols/mifare_classic.c
+++ b/lib/nfc_protocols/mifare_classic.c
@ -386,11 +386,25 @@ bool mf_classic_read_block(
    tx_rx->tx_rx_type = FuriHalNfcTxRxTypeRaw;

    if(furi_hal_nfc_tx_rx(tx_rx, 50)) {
-        if(tx_rx->rx_bits == 8 * 18) {
-            for(uint8_t i = 0; i < 18; i++) {
-                block->value[i] = crypto1_byte(crypto, 0, 0) ^ tx_rx->rx_data[i];
+        if(tx_rx->rx_bits == 8 * (MF_CLASSIC_BLOCK_SIZE + 2)) {
+            uint8_t block_received[MF_CLASSIC_BLOCK_SIZE + 2];
+            for(uint8_t i = 0; i < MF_CLASSIC_BLOCK_SIZE + 2; i++) {
+                block_received[i] = crypto1_byte(crypto, 0, 0) ^ tx_rx->rx_data[i];
+            }
+            uint16_t crc_calc = nfca_get_crc16(block_received, MF_CLASSIC_BLOCK_SIZE);
+            uint16_t crc_received = (block_received[MF_CLASSIC_BLOCK_SIZE + 1] << 8) |
+                                    block_received[MF_CLASSIC_BLOCK_SIZE];
+            if(crc_received != crc_calc) {
+                FURI_LOG_E(
+                    TAG,
+                    "Incorrect CRC while reading block %d. Expected %04X, Received %04X",
+                    block_num,
+                    crc_received,
+                    crc_calc);
+            } else {
+                memcpy(block->value, block_received, MF_CLASSIC_BLOCK_SIZE);
+                read_block_success = true;
            }
-            read_block_success = true;
        }
    }
    return read_block_success;