diff options
author | gornekich <n.gorbadey@gmail.com> | 2022-07-05 18:41:19 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-05 18:41:19 +0300 |
commit | ece142a6677550c9fbc805a72b4f09b052251d45 (patch) | |
tree | b6fee9c986a839477be1dce4696cb1806af69e41 /lib | |
parent | e147b2ceea7e69d637b45c26533662337289a0d1 (diff) |
Fix buffer overflow in mifare classic lib #1374
Diffstat (limited to 'lib')
-rw-r--r-- | lib/nfc_protocols/mifare_classic.c | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/lib/nfc_protocols/mifare_classic.c b/lib/nfc_protocols/mifare_classic.c index 28334119..21d470bc 100644 --- a/lib/nfc_protocols/mifare_classic.c +++ b/lib/nfc_protocols/mifare_classic.c @@ -386,11 +386,25 @@ bool mf_classic_read_block( tx_rx->tx_rx_type = FuriHalNfcTxRxTypeRaw; if(furi_hal_nfc_tx_rx(tx_rx, 50)) { - if(tx_rx->rx_bits == 8 * 18) { - for(uint8_t i = 0; i < 18; i++) { - block->value[i] = crypto1_byte(crypto, 0, 0) ^ tx_rx->rx_data[i]; + if(tx_rx->rx_bits == 8 * (MF_CLASSIC_BLOCK_SIZE + 2)) { + uint8_t block_received[MF_CLASSIC_BLOCK_SIZE + 2]; + for(uint8_t i = 0; i < MF_CLASSIC_BLOCK_SIZE + 2; i++) { + block_received[i] = crypto1_byte(crypto, 0, 0) ^ tx_rx->rx_data[i]; + } + uint16_t crc_calc = nfca_get_crc16(block_received, MF_CLASSIC_BLOCK_SIZE); + uint16_t crc_received = (block_received[MF_CLASSIC_BLOCK_SIZE + 1] << 8) | + block_received[MF_CLASSIC_BLOCK_SIZE]; + if(crc_received != crc_calc) { + FURI_LOG_E( + TAG, + "Incorrect CRC while reading block %d. Expected %04X, Received %04X", + block_num, + crc_received, + crc_calc); + } else { + memcpy(block->value, block_received, MF_CLASSIC_BLOCK_SIZE); + read_block_success = true; } - read_block_success = true; } } return read_block_success; |