Merge pull request #311 from marshmellow42/master
authorIceman <iceman@iuse.se>
Wed, 7 Jun 2017 20:31:52 +0000 (22:31 +0200)
committerGitHub <noreply@github.com>
Wed, 7 Jun 2017 20:31:52 +0000 (22:31 +0200)
a few coverity scan bug fixes

armsrc/iso14443a.c
client/cmdhf14a.c
client/cmdhfmf.c
client/cmdhfmfu.c
client/cmdlfpresco.c
client/proxguiqt.h

index b18a2fe60265c0ef5a4750a2c873c0bb8d7f3002..d648beee338f293b08c45bc9db62d2bf5f019d75 100644 (file)
@@ -2418,8 +2418,8 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
        //Here, we collect UID,sector,keytype,NT,AR,NR,NT2,AR2,NR2
        // This will be used in the reader-only attack.
 
-       //allow collecting up to 8 sets of nonces to allow recovery of up to 8 keys
-       #define ATTACK_KEY_COUNT 8 // keep same as define in cmdhfmf.c -> readerAttack()
+       //allow collecting up to 7 sets of nonces to allow recovery of up to 7 keys
+       #define ATTACK_KEY_COUNT 7 // keep same as define in cmdhfmf.c -> readerAttack() (Cannot be more than 7)
        nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; //*2 for 2 separate attack types (nml, moebius)
        memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));
 
index 812db8ee0d85506630119de580162e2e4884dae4..58d1e8b24fb5e96c6d99587bf44019d3e5bb7529 100644 (file)
@@ -561,72 +561,72 @@ int CmdHF14ASnoop(const char *Cmd) {
                if (ctmp == 'r' || ctmp == 'R') param |= 0x02;
        }
 
-  UsbCommand c = {CMD_SNOOP_ISO_14443a, {param, 0, 0}};
-  SendCommand(&c);
-  return 0;
+       UsbCommand c = {CMD_SNOOP_ISO_14443a, {param, 0, 0}};
+       SendCommand(&c);
+       return 0;
 }
 
 
 int CmdHF14ACmdRaw(const char *cmd) {
-    UsbCommand c = {CMD_READER_ISO_14443a, {0, 0, 0}};
-    bool reply=1;
-    bool crc = false;
-    bool power = false;
-    bool active = false;
-    bool active_select = false;
-    uint16_t numbits = 0;
+       UsbCommand c = {CMD_READER_ISO_14443a, {0, 0, 0}};
+       bool reply=1;
+       bool crc = false;
+       bool power = false;
+       bool active = false;
+       bool active_select = false;
+       uint16_t numbits = 0;
        bool bTimeout = false;
        uint32_t timeout = 0;
        bool topazmode = false;
-    char buf[5]="";
-    int i = 0;
-    uint8_t data[USB_CMD_DATA_SIZE];
+       char buf[5]="";
+       int i = 0;
+       uint8_t data[USB_CMD_DATA_SIZE];
        uint16_t datalen = 0;
        uint32_t temp;
 
-    if (strlen(cmd)<2) {
-        PrintAndLog("Usage: hf 14a raw [-r] [-c] [-p] [-f] [-b] [-t] <number of bits> <0A 0B 0C ... hex>");
-        PrintAndLog("       -r    do not read response");
-        PrintAndLog("       -c    calculate and append CRC");
-        PrintAndLog("       -p    leave the signal field ON after receive");
-        PrintAndLog("       -a    active signal field ON without select");
-        PrintAndLog("       -s    active signal field ON with select");
-        PrintAndLog("       -b    number of bits to send. Useful for send partial byte");
+       if (strlen(cmd)<2) {
+               PrintAndLog("Usage: hf 14a raw [-r] [-c] [-p] [-f] [-b] [-t] <number of bits> <0A 0B 0C ... hex>");
+               PrintAndLog("       -r    do not read response");
+               PrintAndLog("       -c    calculate and append CRC");
+               PrintAndLog("       -p    leave the signal field ON after receive");
+               PrintAndLog("       -a    active signal field ON without select");
+               PrintAndLog("       -s    active signal field ON with select");
+               PrintAndLog("       -b    number of bits to send. Useful for send partial byte");
                PrintAndLog("       -t    timeout in ms");
                PrintAndLog("       -T    use Topaz protocol to send command");
-        return 0;
-    }
+               return 0;
+       }
 
-       
-    // strip
-    while (*cmd==' ' || *cmd=='\t') cmd++;
-
-    while (cmd[i]!='\0') {
-        if (cmd[i]==' ' || cmd[i]=='\t') { i++; continue; }
-        if (cmd[i]=='-') {
-            switch (cmd[i+1]) {
-                case 'r': 
-                    reply = false;
-                    break;
-                case 'c':
-                    crc = true;
-                    break;
-                case 'p':
-                    power = true;
-                    break;
-                case 'a':
-                    active = true;
-                    break;
-                case 's':
-                    active_select = true;
-                    break;
-                case 'b': 
-                    sscanf(cmd+i+2,"%d",&temp);
-                    numbits = temp & 0xFFFF;
-                    i+=3;
-                    while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
-                    i-=2;
-                    break;
+
+       // strip
+       while (*cmd==' ' || *cmd=='\t') cmd++;
+
+       while (cmd[i]!='\0') {
+               if (cmd[i]==' ' || cmd[i]=='\t') { i++; continue; }
+               if (cmd[i]=='-') {
+                       switch (cmd[i+1]) {
+                               case 'r': 
+                                       reply = false;
+                                       break;
+                               case 'c':
+                                       crc = true;
+                                       break;
+                               case 'p':
+                                       power = true;
+                                       break;
+                               case 'a':
+                                       active = true;
+                                       break;
+                               case 's':
+                                       active_select = true;
+                                       break;
+                               case 'b': 
+                                       sscanf(cmd+i+2,"%d",&temp);
+                                       numbits = temp & 0xFFFF;
+                                       i+=3;
+                                       while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
+                                       i-=2;
+                                       break;
                                case 't':
                                        bTimeout = true;
                                        sscanf(cmd+i+2,"%d",&temp);
@@ -635,93 +635,95 @@ int CmdHF14ACmdRaw(const char *cmd) {
                                        while(cmd[i]!=' ' && cmd[i]!='\0') { i++; }
                                        i-=2;
                                        break;
-                case 'T':
+                               case 'T':
                                        topazmode = true;
                                        break;
-                default:
-                    PrintAndLog("Invalid option");
-                    return 0;
-            }
-            i+=2;
-            continue;
-        }
-        if ((cmd[i]>='0' && cmd[i]<='9') ||
-            (cmd[i]>='a' && cmd[i]<='f') ||
-            (cmd[i]>='A' && cmd[i]<='F') ) {
-            buf[strlen(buf)+1]=0;
-            buf[strlen(buf)]=cmd[i];
-            i++;
-
-            if (strlen(buf)>=2) {
-                sscanf(buf,"%x",&temp);
-                data[datalen]=(uint8_t)(temp & 0xff);
-                *buf=0;
-                               if (++datalen>sizeof(data)){
+                               default:
+                                       PrintAndLog("Invalid option");
+                                       return 0;
+                       }
+                       i+=2;
+                       continue;
+               }
+               if ((cmd[i]>='0' && cmd[i]<='9') ||
+                   (cmd[i]>='a' && cmd[i]<='f') ||
+                   (cmd[i]>='A' && cmd[i]<='F') ) {
+                       buf[strlen(buf)+1]=0;
+                       buf[strlen(buf)]=cmd[i];
+                       i++;
+
+                       if (strlen(buf)>=2) {
+                               sscanf(buf,"%x",&temp);
+                               data[datalen]=(uint8_t)(temp & 0xff);
+                               *buf=0;
+                               if (datalen > sizeof(data)-1) {
                                        if (crc)
                                                PrintAndLog("Buffer is full, we can't add CRC to your data");
                                        break;
+                               } else {
+                                       datalen++;
                                }
-            }
-            continue;
-        }
-        PrintAndLog("Invalid char on input");
-        return 0;
-    }
+                       }
+                       continue;
+               }
+               PrintAndLog("Invalid char on input");
+               return 0;
+       }
 
-    if(crc && datalen>0 && datalen<sizeof(data)-2)
-    {
-        uint8_t first, second;
+       if(crc && datalen>0 && datalen<sizeof(data)-2)
+       {
+               uint8_t first, second;
                if (topazmode) {
                        ComputeCrc14443(CRC_14443_B, data, datalen, &first, &second);
                } else {
                        ComputeCrc14443(CRC_14443_A, data, datalen, &first, &second);
                }
-        data[datalen++] = first;
-        data[datalen++] = second;
-    }
+               data[datalen++] = first;
+               data[datalen++] = second;
+       }
 
-    if(active || active_select)
-    {
-        c.arg[0] |= ISO14A_CONNECT;
-        if(active)
-            c.arg[0] |= ISO14A_NO_SELECT;
-    }
+       if(active || active_select)
+       {
+               c.arg[0] |= ISO14A_CONNECT;
+               if(active)
+                       c.arg[0] |= ISO14A_NO_SELECT;
+       }
 
        if(bTimeout){
-           #define MAX_TIMEOUT 40542464        // = (2^32-1) * (8*16) / 13560000Hz * 1000ms/s
-        c.arg[0] |= ISO14A_SET_TIMEOUT;
-        if(timeout > MAX_TIMEOUT) {
-            timeout = MAX_TIMEOUT;
-            PrintAndLog("Set timeout to 40542 seconds (11.26 hours). The max we can wait for response");
-        }
+               #define MAX_TIMEOUT 40542464    // = (2^32-1) * (8*16) / 13560000Hz * 1000ms/s
+               c.arg[0] |= ISO14A_SET_TIMEOUT;
+               if(timeout > MAX_TIMEOUT) {
+                       timeout = MAX_TIMEOUT;
+                       PrintAndLog("Set timeout to 40542 seconds (11.26 hours). The max we can wait for response");
+               }
                c.arg[2] = 13560000 / 1000 / (8*16) * timeout; // timeout in ETUs (time to transfer 1 bit, approx. 9.4 us)
        }
 
-    if(power) {
-        c.arg[0] |= ISO14A_NO_DISCONNECT;
-    }
+       if(power) {
+               c.arg[0] |= ISO14A_NO_DISCONNECT;
+       }
 
        if(datalen > 0) {
-        c.arg[0] |= ISO14A_RAW;
-    }
+               c.arg[0] |= ISO14A_RAW;
+       }
 
        if(topazmode) {
                c.arg[0] |= ISO14A_TOPAZMODE;
-    }
-               
-       // Max buffer is USB_CMD_DATA_SIZE
-    c.arg[1] = (datalen & 0xFFFF) | (numbits << 16);
-    memcpy(c.d.asBytes,data,datalen);
-
-    SendCommand(&c);
-
-    if (reply) {
-        if(active_select)
-            waitCmd(1);
-        if(datalen>0)
-            waitCmd(0);
-    } // if reply
-    return 0;
+       }
+
+       // Max buffer is USB_CMD_DATA_SIZE (512)
+       c.arg[1] = (datalen & 0xFFFF) | ((uint32_t)numbits << 16);
+       memcpy(c.d.asBytes,data,datalen);
+
+       SendCommand(&c);
+
+       if (reply) {
+               if(active_select)
+                       waitCmd(1);
+               if(datalen>0)
+                       waitCmd(0);
+       } // if reply
+       return 0;
 }
 
 
index 5b4a0b2a401a48ead9d8e7375c3211047a40061b..3fde208f6ab520b7778f32f9313940e26b102529 100644 (file)
@@ -970,6 +970,7 @@ int CmdHF14AMfChk(const char *Cmd)
                break;\r
        default:\r
                PrintAndLog("Key type must be A , B or ?");\r
+               free(keyBlock);\r
                return 1;\r
        };\r
        \r
@@ -1120,7 +1121,8 @@ int CmdHF14AMfChk(const char *Cmd)
 }\r
 \r
 void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) {\r
-       #define ATTACK_KEY_COUNT 8 // keep same as define in iso14443a.c -> Mifare1ksim()\r
+       #define ATTACK_KEY_COUNT 7 // keep same as define in iso14443a.c -> Mifare1ksim()\r
+                                  // cannot be more than 7 or it will overrun c.d.asBytes(512)\r
        uint64_t key = 0;\r
        typedef struct {\r
                        uint64_t keyA;\r
index ed8c588d3e4750a9c3edf0aee508799a665324d5..815022501bc97b227d0b48a32400659dd2cf5e81 100644 (file)
@@ -1474,7 +1474,7 @@ int CmdHF14AMfucAuth(const char *Cmd){
        //Change key to user defined one
        if (cmdp == 'k' || cmdp == 'K'){
                keyNo = param_get8(Cmd, 1);
-               if(keyNo > KEYS_3DES_COUNT) 
+               if(keyNo > KEYS_3DES_COUNT-1
                        errors = true;
        }
 
index 8ac3a71ea94254a721017152eaa2a79d0657d277..29fc81f278cc6522a1c0e4f86186fc16030370b5 100644 (file)
@@ -68,8 +68,8 @@ int GetWiegandFromPresco(const char *Cmd, uint32_t *sitecode, uint32_t *usercode
                                *fullcode = param_get32ex(Cmd, cmdp+1, 0, 10);
                                cmdp+=2;
                                break;
-                       case 'P':
-                       case 'p':
+                       case 'D':
+                       case 'd':
                                //param get string int param_getstr(const char *line, int paramnum, char * str)
                                stringlen = param_getstr(Cmd, cmdp+1, id);
                                if (stringlen < 2) return -1;
@@ -91,7 +91,7 @@ int GetWiegandFromPresco(const char *Cmd, uint32_t *sitecode, uint32_t *usercode
        if(cmdp == 0) errors = 1;
 
        //Validations
-       if(errors) return -1;
+       if(errors || (stringlen == 0 && !hex) ) return -1;
 
        if (!hex) {
                for (int index =0; index < strlen(id); ++index) {
index 73f9286c39440ce9e58d2b3b8eff4bf68dbe73ca..8a3b8cfccf5d813ea431b29bb012e2e2e5de004e 100644 (file)
@@ -128,7 +128,7 @@ public:
        void run();
 private:
        char *script_cmds_file = NULL;
-       bool usb_present = false;
+       bool usb_present;
 };
 
 #endif // PROXGUI_QT
Impressum, Datenschutz