github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-21 13:53:55 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

FIX: coverity scan found some bugs in EMV code. These are the fixes to:

Browse source 
-CID 141293 - missing va_end call
  -CID 141290 - return var not always given a value
  -CID 141289 - array out of bounds write. off by one.
  -CID 141288 - dead code because of CID 141287
  -CID 141287 - wrong mask
  -CID 141286 - wrong mask value
This commit is contained in:
iceman1001 2017-02-15 02:44:34 +01:00
commit 1bfbe92a53
2 changed files with 113 additions and 112 deletions
Download patch file Download diff file Expand all files Collapse all files

2
armsrc/emvcmd.c
View file

@ -171,7 +171,7 @@ int EMV_PaywaveTransaction()
cardMode = VISA_FDDA; cardMode = VISA_FDDA;
} }
else if((currentcard.tag_9F66[0] & 0x80) == 0x80) { else if((currentcard.tag_9F66[0] & 0x80) == 0x80) {
if((currentcard.tag_9F66[1] & 0x80) == 1) { //CVN17 if((currentcard.tag_9F66[1] & 0x80) == 0x80) { //CVN17
cardMode = VISA_CVN17; cardMode = VISA_CVN17;
} else { } else {
cardMode = VISA_DCVV; cardMode = VISA_DCVV;

27
armsrc/emvutil.c
View file

@ -42,7 +42,7 @@ int emv_lookuptag(uint8_t* tag, emvtags *currentcard, uint8_t* outputval, uint8_
{ {
//loop through tag and return the appropriate value //loop through tag and return the appropriate value
uint8_t returnedtag[255]; uint8_t returnedtag[255];
uint8_t returnedlength; uint8_t returnedlength = 0;
memset(returnedtag, 0x00, sizeof(returnedtag)); memset(returnedtag, 0x00, sizeof(returnedtag));
if(!memcmp(tag, "\x4F\x00",2)){ if(!memcmp(tag, "\x4F\x00",2)){
memcpy(&returnedtag, currentcard->tag_4F, currentcard->tag_4F_len); memcpy(&returnedtag, currentcard->tag_4F, currentcard->tag_4F_len);
@ -231,25 +231,25 @@ int emv_lookuptag(uint8_t* tag, emvtags *currentcard, uint8_t* outputval, uint8_
returnedlength = currentcard->tag_9F0B_len; goto exitfunction;} returnedlength = currentcard->tag_9F0B_len; goto exitfunction;}
else if(*(tag+1) == 0x0D){ else if(*(tag+1) == 0x0D){
memcpy(&returnedtag, currentcard->tag_9F0D, sizeof(currentcard->tag_9F0D)); memcpy(&returnedtag, currentcard->tag_9F0D, sizeof(currentcard->tag_9F0D));
returnedlength = sizeof(currentcard->tag_9F0D);goto exitfunction;} returnedlength = sizeof(currentcard->tag_9F0D); goto exitfunction;}
else if(*(tag+1) == 0x0E){ else if(*(tag+1) == 0x0E){
memcpy(&returnedtag, currentcard->tag_9F0E, sizeof(currentcard->tag_9F0E)); memcpy(&returnedtag, currentcard->tag_9F0E, sizeof(currentcard->tag_9F0E));
returnedlength = sizeof(currentcard->tag_9F0E);goto exitfunction;} returnedlength = sizeof(currentcard->tag_9F0E); goto exitfunction;}
else if(*(tag+1) == 0x0F){ else if(*(tag+1) == 0x0F){
memcpy(&returnedtag, currentcard->tag_9F0F, sizeof(currentcard->tag_9F0F)); memcpy(&returnedtag, currentcard->tag_9F0F, sizeof(currentcard->tag_9F0F));
returnedlength = sizeof(currentcard->tag_9F0F);goto exitfunction;} returnedlength = sizeof(currentcard->tag_9F0F); goto exitfunction;}
else if(*(tag+1) == 0x10){ else if(*(tag+1) == 0x10){
memcpy(&returnedtag, currentcard->tag_9F10, currentcard->tag_9F10_len); memcpy(&returnedtag, currentcard->tag_9F10, currentcard->tag_9F10_len);
returnedlength = currentcard->tag_9F10_len;goto exitfunction;} returnedlength = currentcard->tag_9F10_len; goto exitfunction;}
else if(*(tag+1) == 0x11){ else if(*(tag+1) == 0x11){
memcpy(&returnedtag, currentcard->tag_9F11, sizeof(currentcard->tag_9F11)); memcpy(&returnedtag, currentcard->tag_9F11, sizeof(currentcard->tag_9F11));
returnedlength = sizeof(currentcard->tag_9F11);goto exitfunction;} returnedlength = sizeof(currentcard->tag_9F11); goto exitfunction;}
else if(*(tag+1) == 0x12){ else if(*(tag+1) == 0x12){
memcpy(&returnedtag, currentcard->tag_9F12, currentcard->tag_9F12_len); memcpy(&returnedtag, currentcard->tag_9F12, currentcard->tag_9F12_len);
returnedlength = currentcard->tag_9F12_len;goto exitfunction;} returnedlength = currentcard->tag_9F12_len; goto exitfunction;}
else if(*(tag+1) == 0x1A){ else if(*(tag+1) == 0x1A){
memcpy(&returnedtag, currentcard->tag_9F1A, sizeof(currentcard->tag_9F1A)); memcpy(&returnedtag, currentcard->tag_9F1A, sizeof(currentcard->tag_9F1A));
goto exitfunction;} returnlength = sizeof(currentcard->tag_9F1A); goto exitfunction;}
else if(*(tag+1) == 0x1F){ else if(*(tag+1) == 0x1F){
memcpy(&returnedtag, currentcard->tag_9F1F, currentcard->tag_9F1F_len); memcpy(&returnedtag, currentcard->tag_9F1F, currentcard->tag_9F1F_len);
returnedlength = currentcard->tag_9F1F_len; goto exitfunction;} returnedlength = currentcard->tag_9F1F_len; goto exitfunction;}
@ -259,10 +259,10 @@ int emv_lookuptag(uint8_t* tag, emvtags *currentcard, uint8_t* outputval, uint8_
else if(*(tag+1) == 0x34){ else if(*(tag+1) == 0x34){
memcpy(&returnedtag, currentcard->tag_9F34, sizeof(currentcard->tag_9F34)); memcpy(&returnedtag, currentcard->tag_9F34, sizeof(currentcard->tag_9F34));
returnedlength = sizeof(currentcard->tag_9F34); goto exitfunction;} returnedlength = sizeof(currentcard->tag_9F34); goto exitfunction;}
else if(*(tag+1) == 0x35){ else if(*(tag+1) == 0x35){
memcpy(&returnedtag, currentcard->tag_9F35, sizeof(currentcard->tag_9F35)); memcpy(&returnedtag, currentcard->tag_9F35, sizeof(currentcard->tag_9F35));
returnedlength = sizeof(currentcard->tag_9F35); goto exitfunction;} returnedlength = sizeof(currentcard->tag_9F35); goto exitfunction;}
else if(*(tag+1) == 0x37){ else if(*(tag+1) == 0x37){
memcpy(&returnedtag, currentcard->tag_9F37, sizeof(currentcard->tag_9F37)); memcpy(&returnedtag, currentcard->tag_9F37, sizeof(currentcard->tag_9F37));
returnedlength = sizeof(currentcard->tag_9F37);goto exitfunction;} returnedlength = sizeof(currentcard->tag_9F37);goto exitfunction;}
else if(*(tag+1) == 0x38){ else if(*(tag+1) == 0x38){
@ -295,7 +295,7 @@ else if(*(tag+1) == 0x37){
else if(*(tag+1) == 0x4C){ else if(*(tag+1) == 0x4C){
memcpy(&returnedtag, currentcard->tag_9F4C, sizeof(currentcard->tag_9F4C)); memcpy(&returnedtag, currentcard->tag_9F4C, sizeof(currentcard->tag_9F4C));
returnedlength = sizeof(currentcard->tag_9F4C); goto exitfunction;} returnedlength = sizeof(currentcard->tag_9F4C); goto exitfunction;}
else if(*(tag+1) == 0x60){ else if(*(tag+1) == 0x60){
memcpy(&returnedtag, currentcard->tag_9F60, sizeof(currentcard->tag_9F60)); memcpy(&returnedtag, currentcard->tag_9F60, sizeof(currentcard->tag_9F60));
returnedlength = sizeof(currentcard->tag_9F60);goto exitfunction;} returnedlength = sizeof(currentcard->tag_9F60);goto exitfunction;}
else if(*(tag+1) == 0x61){ else if(*(tag+1) == 0x61){
@ -826,6 +826,7 @@ int emv_generatetemplate(uint8_t* templateval,emvtags* currentcard, uint8_t* ret
} }
encode_ber_tlv_item(templateval, strlen((const char*) templateval), bufferval, counter, returnedval, &encodedlen); encode_ber_tlv_item(templateval, strlen((const char*) templateval), bufferval, counter, returnedval, &encodedlen);
*returnedlen = encodedlen; *returnedlen = encodedlen;
va_end(arguments);
return 0; return 0;
} }
@ -1388,7 +1389,7 @@ int emv_getprocessingoptions(uint8_t* pdol, uint8_t pdol_len, void* data)
processingCmd[6] = pdol_len; processingCmd[6] = pdol_len;
if(pdol_len > 0){ if(pdol_len > 0){
memcpy(&(processingCmd[7]), pdol, pdol_len);} memcpy(&(processingCmd[7]), pdol, pdol_len);}
processingCmd[processingCmd_len] = 0x00; processingCmd[processingCmd_len-1] = 0x00;
return iso14_apdu(processingCmd, processingCmd_len, data); return iso14_apdu(processingCmd, processingCmd_len, data);
} }
@ -1513,7 +1514,7 @@ int emv_decodeCVM(uint8_t* CVM, uint8_t CVMlen)
if((CVM[counter] & 0x3F) == 0x30){ if((CVM[counter] & 0x3F) == 0x30){
Dbprintf("Signature (paper)"); Dbprintf("Signature (paper)");
} }
if((CVM[counter] & 0x3F) == 0x40){ if((CVM[counter] & 0x7F) == 0x40){ // iceman, wrong masked used? changed from 0x3f -> 0x7f
Dbprintf("No CVM required"); Dbprintf("No CVM required");
} }
counter +=2; counter +=2;