From ece142a6677550c9fbc805a72b4f09b052251d45 Mon Sep 17 00:00:00 2001 From: gornekich Date: Tue, 5 Jul 2022 18:41:19 +0300 Subject: [PATCH] Fix buffer overflow in mifare classic lib #1374 --- lib/nfc_protocols/mifare_classic.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/lib/nfc_protocols/mifare_classic.c b/lib/nfc_protocols/mifare_classic.c index 28334119d..21d470bca 100644 --- a/lib/nfc_protocols/mifare_classic.c +++ b/lib/nfc_protocols/mifare_classic.c @@ -386,11 +386,25 @@ bool mf_classic_read_block( tx_rx->tx_rx_type = FuriHalNfcTxRxTypeRaw; if(furi_hal_nfc_tx_rx(tx_rx, 50)) { - if(tx_rx->rx_bits == 8 * 18) { - for(uint8_t i = 0; i < 18; i++) { - block->value[i] = crypto1_byte(crypto, 0, 0) ^ tx_rx->rx_data[i]; + if(tx_rx->rx_bits == 8 * (MF_CLASSIC_BLOCK_SIZE + 2)) { + uint8_t block_received[MF_CLASSIC_BLOCK_SIZE + 2]; + for(uint8_t i = 0; i < MF_CLASSIC_BLOCK_SIZE + 2; i++) { + block_received[i] = crypto1_byte(crypto, 0, 0) ^ tx_rx->rx_data[i]; + } + uint16_t crc_calc = nfca_get_crc16(block_received, MF_CLASSIC_BLOCK_SIZE); + uint16_t crc_received = (block_received[MF_CLASSIC_BLOCK_SIZE + 1] << 8) | + block_received[MF_CLASSIC_BLOCK_SIZE]; + if(crc_received != crc_calc) { + FURI_LOG_E( + TAG, + "Incorrect CRC while reading block %d. Expected %04X, Received %04X", + block_num, + crc_received, + crc_calc); + } else { + memcpy(block->value, block_received, MF_CLASSIC_BLOCK_SIZE); + read_block_success = true; } - read_block_success = true; } } return read_block_success;