Fix buffer overflow in mifare classic lib #1374

1 files changed, 18 insertions, 4 deletions

diff --git a/lib/nfc_protocols/mifare_classic.c b/lib/nfc_protocols/mifare_classic.c
index 28334119..21d470bc 100644
--- a/lib/nfc_protocols/mifare_classic.c
+++ b/lib/nfc_protocols/mifare_classic.c
@@ -386,11 +386,25 @@ bool mf_classic_read_block(
     tx_rx->tx_rx_type = FuriHalNfcTxRxTypeRaw;
 
     if(furi_hal_nfc_tx_rx(tx_rx, 50)) {
-        if(tx_rx->rx_bits == 8 * 18) {
-            for(uint8_t i = 0; i < 18; i++) {
-                block->value[i] = crypto1_byte(crypto, 0, 0) ^ tx_rx->rx_data[i];
+        if(tx_rx->rx_bits == 8 * (MF_CLASSIC_BLOCK_SIZE + 2)) {
+            uint8_t block_received[MF_CLASSIC_BLOCK_SIZE + 2];
+            for(uint8_t i = 0; i < MF_CLASSIC_BLOCK_SIZE + 2; i++) {
+                block_received[i] = crypto1_byte(crypto, 0, 0) ^ tx_rx->rx_data[i];
+            }
+            uint16_t crc_calc = nfca_get_crc16(block_received, MF_CLASSIC_BLOCK_SIZE);
+            uint16_t crc_received = (block_received[MF_CLASSIC_BLOCK_SIZE + 1] << 8) |
+                                    block_received[MF_CLASSIC_BLOCK_SIZE];
+            if(crc_received != crc_calc) {
+                FURI_LOG_E(
+                    TAG,
+                    "Incorrect CRC while reading block %d. Expected %04X, Received %04X",
+                    block_num,
+                    crc_received,
+                    crc_calc);
+            } else {
+                memcpy(block->value, block_received, MF_CLASSIC_BLOCK_SIZE);
+                read_block_success = true;
             }
-            read_block_success = true;
         }
     }
     return read_block_success;