From 3d542a3dfa511ff7a7545136c1980060cf676f02 Mon Sep 17 00:00:00 2001 From: marshmellow42 Date: Tue, 6 Jun 2017 12:12:18 -0400 Subject: [PATCH] coverity scan bug fixes mfu keyNo buffer overflow mf reader attack key count reduced to not overrun c.d.asBytes buffer. --- armsrc/iso14443a.c | 4 ++-- client/cmdhfmf.c | 3 ++- client/cmdhfmfu.c | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/armsrc/iso14443a.c b/armsrc/iso14443a.c index b18a2fe6..d648beee 100644 --- a/armsrc/iso14443a.c +++ b/armsrc/iso14443a.c @@ -2418,8 +2418,8 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t * //Here, we collect UID,sector,keytype,NT,AR,NR,NT2,AR2,NR2 // This will be used in the reader-only attack. - //allow collecting up to 8 sets of nonces to allow recovery of up to 8 keys - #define ATTACK_KEY_COUNT 8 // keep same as define in cmdhfmf.c -> readerAttack() + //allow collecting up to 7 sets of nonces to allow recovery of up to 7 keys + #define ATTACK_KEY_COUNT 7 // keep same as define in cmdhfmf.c -> readerAttack() (Cannot be more than 7) nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; //*2 for 2 separate attack types (nml, moebius) memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp)); diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 5b4a0b2a..28198876 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -1120,7 +1120,8 @@ int CmdHF14AMfChk(const char *Cmd) } void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) { - #define ATTACK_KEY_COUNT 8 // keep same as define in iso14443a.c -> Mifare1ksim() + #define ATTACK_KEY_COUNT 7 // keep same as define in iso14443a.c -> Mifare1ksim() + // cannot be more than 7 or it will overrun c.d.asBytes(512) uint64_t key = 0; typedef struct { uint64_t keyA; diff --git a/client/cmdhfmfu.c b/client/cmdhfmfu.c index ed8c588d..81502250 100644 --- a/client/cmdhfmfu.c +++ b/client/cmdhfmfu.c @@ -1474,7 +1474,7 @@ int CmdHF14AMfucAuth(const char *Cmd){ //Change key to user defined one if (cmdp == 'k' || cmdp == 'K'){ keyNo = param_get8(Cmd, 1); - if(keyNo > KEYS_3DES_COUNT) + if(keyNo > KEYS_3DES_COUNT-1) errors = true; } -- 2.39.2