From 735136e6a33e4851127b45d373ea58f1710bd1f4 Mon Sep 17 00:00:00 2001
From: marshmellow42 <marshmellowrf@gmail.com>
Date: Sun, 14 Feb 2016 13:37:05 -0500
Subject: [PATCH] lf t55 bruteforce lots of resource leaks...

plus strlen(Cmd) can never be less than 0
iceman1001 fixes...
---
 client/cmdlft55xx.c  | 31 +++++++++++++++++++++++--------
 client/cmdlfviking.c |  8 ++++----
 2 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c
index 348cb229..5d797edc 100644
--- a/client/cmdlft55xx.c
+++ b/client/cmdlft55xx.c
@@ -1371,11 +1371,9 @@ int CmdT55xxBruteForce(const char *Cmd) {
 	char buf[9];
 	char filename[FILE_PATH_SIZE]={0};
 	int keycnt = 0;
+	int ch;
 	uint8_t stKeyBlock = 20;
-	uint8_t *keyBlock = NULL, *p;
-	keyBlock = calloc(stKeyBlock, 6);
-	if (keyBlock == NULL) return 1;
-
+	uint8_t *keyBlock = NULL, *p = NULL;
 	uint32_t start_password = 0x00000000; //start password
 	uint32_t end_password   = 0xFFFFFFFF; //end   password
 	bool found = false;
@@ -1383,6 +1381,9 @@ int CmdT55xxBruteForce(const char *Cmd) {
 	char cmdp = param_getchar(Cmd, 0);
 	if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();
 
+	keyBlock = calloc(stKeyBlock, 6);
+	if (keyBlock == NULL) return 1;
+
 	if (cmdp == 'i' || cmdp == 'I') {
 
 		int len = strlen(Cmd+2);
@@ -1417,6 +1418,7 @@ int CmdT55xxBruteForce(const char *Cmd) {
 				if (!p) {
 					PrintAndLog("Cannot allocate memory for defaultKeys");
 					free(keyBlock);
+					fclose(f);
 					return 2;
 				}
 				keyBlock = p;
@@ -1431,6 +1433,7 @@ int CmdT55xxBruteForce(const char *Cmd) {
 		
 		if (keycnt == 0) {
 			PrintAndLog("No keys found in file");
+			free(keyBlock);
 			return 1;
 		}
 		PrintAndLog("Loaded %d keys", keycnt);
@@ -1440,8 +1443,10 @@ int CmdT55xxBruteForce(const char *Cmd) {
 		for (uint16_t c = 0; c < keycnt; ++c ) {
 
 			if (ukbhit()) {
-				getchar();
+				ch = getchar();
+				(void)ch;
 				printf("\naborted via keyboard!\n");
+				free(keyBlock);
 				return 0;
 			}
 
@@ -1451,6 +1456,7 @@ int CmdT55xxBruteForce(const char *Cmd) {
 
 			if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) {
 				PrintAndLog("Aquireing data from device failed. Quitting");
+				free(keyBlock);
 				return 0;
 			}
 
@@ -1458,10 +1464,12 @@ int CmdT55xxBruteForce(const char *Cmd) {
 
 			if ( found ) {
 				PrintAndLog("Found valid password: [%08X]", testpwd);
+				free(keyBlock);
 				return 0;
 			}
 		}
 		PrintAndLog("Password NOT found.");
+		free(keyBlock);
 		return 0;
 	}
 
@@ -1471,8 +1479,10 @@ int CmdT55xxBruteForce(const char *Cmd) {
 	start_password = param_get32ex(Cmd, 0, 0, 16);
 	end_password = param_get32ex(Cmd, 1, 0, 16);
 
-	if ( start_password >= end_password ) return usage_t55xx_bruteforce();
-
+	if ( start_password >= end_password ) {
+		free(keyBlock);
+		return usage_t55xx_bruteforce();
+	}
 	PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);
 
 	uint32_t i = start_password;
@@ -1482,13 +1492,16 @@ int CmdT55xxBruteForce(const char *Cmd) {
 		printf(".");
 		fflush(stdout);
 		if (ukbhit()) {
-			getchar();
+			ch = getchar();
+			(void)ch;
 			printf("\naborted via keyboard!\n");
+			free(keyBlock);
 			return 0;
 		}
 
 		if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) {
 			PrintAndLog("Aquireing data from device failed. Quitting");
+			free(keyBlock);
 			return 0;
 		}
 		found = tryDetectModulation();
@@ -1503,6 +1516,8 @@ int CmdT55xxBruteForce(const char *Cmd) {
 		PrintAndLog("Found valid password: [%08x]", i);
 	else
 		PrintAndLog("Password NOT found. Last tried: [%08x]", --i);
+
+	free(keyBlock);
 	return 0;
 }
 
diff --git a/client/cmdlfviking.c b/client/cmdlfviking.c
index 8c0656d2..5c0e590c 100644
--- a/client/cmdlfviking.c
+++ b/client/cmdlfviking.c
@@ -66,7 +66,7 @@ int CmdVikingClone(const char *Cmd) {
 	uint64_t rawID = 0;
 	bool Q5 = false;
 	char cmdp = param_getchar(Cmd, 0);
-	if (strlen(Cmd) < 0 || cmdp == 'h' || cmdp == 'H') return usage_lf_viking_clone();
+	if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_lf_viking_clone();
 
 	id = param_get32ex(Cmd, 0, 0, 16);
 	if (id == 0) return usage_lf_viking_clone();
@@ -74,8 +74,8 @@ int CmdVikingClone(const char *Cmd) {
 		Q5 = true;
 
 	rawID = getVikingBits(id);
-	PrintAndLog("Cloning - ID: %08X, Raw: %08X%08X",id,(uint32_t)(rawID >> 32),(uint32_t) (rawID & 0xFFFFFFFF));
-	UsbCommand c = {CMD_VIKING_CLONE_TAG,{rawID >> 32, rawID & 0xFFFFFFFF, Q5}};
+
+	UsbCommand c = {CMD_VIKING_CLONE_TAG,{rawID >> 32, rawID & 0xFFFF, Q5}};
 	clearCommandBuffer();
 	SendCommand(&c);
 	//check for ACK
@@ -89,7 +89,7 @@ int CmdVikingSim(const char *Cmd) {
 	uint8_t clk = 32, encoding = 1, separator = 0, invert = 0;
 	char cmdp = param_getchar(Cmd, 0);
 
-	if (strlen(Cmd) < 0 || cmdp == 'h' || cmdp == 'H') return usage_lf_viking_sim();
+	if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_lf_viking_sim();
 	id = param_get32ex(Cmd, 0, 0, 16);
 	if (id == 0) return usage_lf_viking_sim();
 
-- 
2.39.2