From 0a22929eacced19efc4d2d1cc8833cac67f29250 Mon Sep 17 00:00:00 2001
From: Philippe Teuwen <phil@teuwen.org>
Date: Tue, 10 Sep 2024 09:02:46 +0200
Subject: [PATCH] Fix buffer overflow

Strangely only detected by Ubuntu 18.4 gcc 7.5.0

```
[-] CC src/cmdhflist.c
In file included from /usr/include/string.h:494:0,
                 from src/cmdhfict.c:21:
In function 'memcpy',
    inlined from 'diversify_mifare_key' at src/cmdhfict.c:151:5,
    inlined from 'derive_mifare_key' at src/cmdhfict.c:189:5,
    inlined from 'CmdHfIctReader' at src/cmdhfict.c:199:12:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10: error: '__builtin___memcpy_chk' writing 8 bytes into a region of size 6 overflows the destination [-Werror=stringop-overflow=]
   return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function 'memcpy',
    inlined from 'diversify_mifare_key' at src/cmdhfict.c:151:5,
    inlined from 'derive_mifare_key' at src/cmdhfict.c:189:5,
    inlined from 'CmdHfIctReader' at src/cmdhfict.c:203:12:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10: error: '__builtin___memcpy_chk' writing 8 bytes into a region of size 6 overflows the destination [-Werror=stringop-overflow=]
   return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```

```c
    uint8_t diverse[MIFARE_KEY_SIZE]; // = 6
    diversify_mifare_key(uid, diverse);
```

```c
static int diversify_mifare_key(const uint8_t *uid, uint8_t *app_key) {
...
    uint8_t output[8];
...
    memcpy(app_key, output, sizeof(output));
```
---
 client/src/cmdhfict.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/client/src/cmdhfict.c b/client/src/cmdhfict.c
index fdfbb97e7..6b143ba3f 100644
--- a/client/src/cmdhfict.c
+++ b/client/src/cmdhfict.c
@@ -148,7 +148,7 @@ static int diversify_mifare_key(const uint8_t *uid, uint8_t *app_key) {
         return PM3_ESOFT;
     }
     mbedtls_aes_free(&aes);
-    memcpy(app_key, output, sizeof(output));
+    memcpy(app_key, output, MIFARE_KEY_SIZE);
     return PM3_SUCCESS;
 }