diff --git a/CHANGELOG.md b/CHANGELOG.md index befb67d0f..e87e6bfae 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ This project uses the changelog in accordance with [keepchangelog](http://keepac ## [unreleased][unreleased] - Improved NXP SLI/SLIX series tag identification (@nvx) + - Fixed buffer overflow in "lf em 4x05 sniff" (@HeinrichsH) - Fixed potential NULL array printing (@jmichel) - Added PIV aid to resource file (@jmichel) - Fixed failing compilation on Proxspace environment due to how python is initialized (@jmichel) diff --git a/client/src/cmdlfem4x05.c b/client/src/cmdlfem4x05.c index 6eb2bb837..8e6110c62 100644 --- a/client/src/cmdlfem4x05.c +++ b/client/src/cmdlfem4x05.c @@ -41,6 +41,7 @@ #include "generator.h" #include "cliparser.h" #include "cmdhw.h" +#include "util.h" //////////////// 4205 / 4305 commands @@ -1996,8 +1997,7 @@ int CmdEM4x05Sniff(const char *Cmd) { const char *cmdText; char dataText[100]; char blkAddr[4]; - char bits[80]; - int i, bitidx; + int i; int ZeroWidth; // 32-42 "1" is 32 int CycleWidth; size_t pulseSamples; @@ -2018,6 +2018,10 @@ int CmdEM4x05Sniff(const char *Cmd) { PrintAndLogEx(SUCCESS, "offset | Command | Data | blk | raw"); PrintAndLogEx(SUCCESS, "-------+-------------+----------+-----+------------------------------------------------------------"); + smartbuf bits = { 0 }; + bits.ptr = malloc(EM4X05_BITS_BUFSIZE); + bits.size = EM4X05_BITS_BUFSIZE; + bits.idx = 0; size_t idx = 0; // loop though sample buffer while (idx < g_GraphTraceLen) { @@ -2037,8 +2041,8 @@ int CmdEM4x05Sniff(const char *Cmd) { if (ZeroWidth <= 50) { pktOffset -= ZeroWidth; - memset(bits, 0x00, sizeof(bits)); - bitidx = 0; + memset(bits.ptr, 0, bits.size); + bits.idx = 0; while ((idx < g_GraphTraceLen) && !eop) { CycleWidth = idx; @@ -2047,7 +2051,7 @@ int CmdEM4x05Sniff(const char *Cmd) { CycleWidth = idx - CycleWidth; if ((CycleWidth > 300) || (CycleWidth < (ZeroWidth - 5))) { // to long or too short eop = true; - bits[bitidx++] = '0'; // Append last zero from the last bit find + sb_append_char(&bits, '0'); // Append last zero from the last bit find cmdText = ""; // EM4305 command lengths @@ -2059,76 +2063,77 @@ int CmdEM4x05Sniff(const char *Cmd) { // -> disable 1010 11111111 0 11111111 0 11111111 0 11111111 0 00000000 0 // Check to see if we got the leading 0 - if (((strncmp(bits, "00011", 5) == 0) && (bitidx == 50)) || - ((strncmp(bits, "00101", 5) == 0) && (bitidx == 57)) || - ((strncmp(bits, "01001", 5) == 0) && (bitidx == 12)) || - ((strncmp(bits, "01100", 5) == 0) && (bitidx == 50)) || - ((strncmp(bits, "01010", 5) == 0) && (bitidx == 50))) { - memmove(bits, &bits[1], bitidx - 1); - bitidx--; + if (((strncmp(bits.ptr, "00011", 5) == 0) && (bits.idx == 50)) || + ((strncmp(bits.ptr, "00101", 5) == 0) && (bits.idx == 57)) || + ((strncmp(bits.ptr, "01001", 5) == 0) && (bits.idx == 12)) || + ((strncmp(bits.ptr, "01100", 5) == 0) && (bits.idx == 50)) || + ((strncmp(bits.ptr, "01010", 5) == 0) && (bits.idx == 50))) { + memmove(bits.ptr, &bits.ptr[1], bits.idx - 1); + bits.idx--; PrintAndLogEx(INFO, "Trim leading 0"); } - bits[bitidx] = 0; + sb_append_char(&bits, 0); + bits.idx--; // logon - if ((strncmp(bits, "0011", 4) == 0) && (bitidx == 49)) { + if ((strncmp(bits.ptr, "0011", 4) == 0) && (bits.idx == 49)) { haveData = true; pwd = true; cmdText = "Logon"; strncpy(blkAddr, " ", sizeof(blkAddr)); - tmpValue = em4x05_Sniff_GetBlock(&bits[4], fwd); + tmpValue = em4x05_Sniff_GetBlock(&bits.ptr[4], fwd); snprintf(dataText, sizeof(dataText), "%08X", tmpValue); } // write - if ((strncmp(bits, "0101", 4) == 0) && (bitidx == 56)) { + if ((strncmp(bits.ptr, "0101", 4) == 0) && (bits.idx == 56)) { haveData = true; cmdText = "Write"; - tmpValue = (bits[4] - '0') + ((bits[5] - '0') << 1) + ((bits[6] - '0') << 2) + ((bits[7] - '0') << 3); + tmpValue = (bits.ptr[4] - '0') + ((bits.ptr[5] - '0') << 1) + ((bits.ptr[6] - '0') << 2) + ((bits.ptr[7] - '0') << 3); snprintf(blkAddr, sizeof(blkAddr), "%u", tmpValue); if (tmpValue == 2) { pwd = true; } - tmpValue = em4x05_Sniff_GetBlock(&bits[11], fwd); + tmpValue = em4x05_Sniff_GetBlock(&bits.ptr[11], fwd); snprintf(dataText, sizeof(dataText), "%08X", tmpValue); } // read - if ((strncmp(bits, "1001", 4) == 0) && (bitidx == 11)) { + if ((strncmp(bits.ptr, "1001", 4) == 0) && (bits.idx == 11)) { haveData = true; pwd = false; cmdText = "Read"; - tmpValue = (bits[4] - '0') + ((bits[5] - '0') << 1) + ((bits[6] - '0') << 2) + ((bits[7] - '0') << 3); + tmpValue = (bits.ptr[4] - '0') + ((bits.ptr[5] - '0') << 1) + ((bits.ptr[6] - '0') << 2) + ((bits.ptr[7] - '0') << 3); snprintf(blkAddr, sizeof(blkAddr), "%u", tmpValue); strncpy(dataText, " ", sizeof(dataText)); } // protect - if ((strncmp(bits, "1100", 4) == 0) && (bitidx == 49)) { + if ((strncmp(bits.ptr, "1100", 4) == 0) && (bits.idx == 49)) { haveData = true; pwd = false; cmdText = "Protect"; strncpy(blkAddr, " ", sizeof(blkAddr)); - tmpValue = em4x05_Sniff_GetBlock(&bits[11], fwd); + tmpValue = em4x05_Sniff_GetBlock(&bits.ptr[11], fwd); snprintf(dataText, sizeof(dataText), "%08X", tmpValue); } // disable - if ((strncmp(bits, "1010", 4) == 0) && (bitidx == 49)) { + if ((strncmp(bits.ptr, "1010", 4) == 0) && (bits.idx == 49)) { haveData = true; pwd = false; cmdText = "Disable"; strncpy(blkAddr, " ", sizeof(blkAddr)); - tmpValue = em4x05_Sniff_GetBlock(&bits[11], fwd); + tmpValue = em4x05_Sniff_GetBlock(&bits.ptr[11], fwd); snprintf(dataText, sizeof(dataText), "%08X", tmpValue); } // bits[bitidx] = 0; } else { i = (CycleWidth - ZeroWidth) / 28; - bits[bitidx++] = '0'; + sb_append_char(&bits, '0'); for (int ii = 0; ii < i; ii++) { - bits[bitidx++] = '1'; + sb_append_char(&bits, '1'); } } } @@ -2139,11 +2144,13 @@ int CmdEM4x05Sniff(const char *Cmd) { // Print results if (haveData) { //&& (minWidth > 1) && (maxWidth > minWidth)){ if (pwd) - PrintAndLogEx(SUCCESS, "%6zu | %-10s | " _YELLOW_("%8s")" | " _YELLOW_("%3s")" | %s", pktOffset, cmdText, dataText, blkAddr, bits); + PrintAndLogEx(SUCCESS, "%6zu | %-10s | " _YELLOW_("%8s")" | " _YELLOW_("%3s")" | %s", pktOffset, cmdText, dataText, blkAddr, bits.ptr); else - PrintAndLogEx(SUCCESS, "%6zu | %-10s | " _GREEN_("%8s")" | " _GREEN_("%3s")" | %s", pktOffset, cmdText, dataText, blkAddr, bits); + PrintAndLogEx(SUCCESS, "%6zu | %-10s | " _GREEN_("%8s")" | " _GREEN_("%3s")" | %s", pktOffset, cmdText, dataText, blkAddr, bits.ptr); } } + free(bits.ptr); + bits.ptr = NULL; // footer PrintAndLogEx(SUCCESS, "---------------------------------------------------------------------------------------------------"); diff --git a/client/src/cmdlfem4x05.h b/client/src/cmdlfem4x05.h index 19c3dd4f2..ed472a803 100644 --- a/client/src/cmdlfem4x05.h +++ b/client/src/cmdlfem4x05.h @@ -27,6 +27,8 @@ #define EM4305_PROT2_BLOCK 15 #define EM4469_PROT_BLOCK 3 +#define EM4X05_BITS_BUFSIZE 128 + // config blocks #define EM4305_DEFAULT_CONFIG_BLOCK (EM4x05_SET_BITRATE(32) | EM4x05_MODULATION_MANCHESTER | EM4x05_SET_NUM_BLOCKS(4) ) // ASK/MAN , data rate 32, 4 data blocks //#define EM4305_DEFAULT_CONFIG_BLOCK (EM4x05_SET_BITRATE(32) | EM4x05_MODULATION_BIPHASE | EM4x05_SET_NUM_BLOCKS(4) ) // ASK/BIPHASE , data rate 32, 4 data blocks diff --git a/client/src/util.c b/client/src/util.c index d6d57414d..56eb3164a 100644 --- a/client/src/util.c +++ b/client/src/util.c @@ -1261,3 +1261,12 @@ int byte_strstr(uint8_t *src, size_t srclen, uint8_t *pattern, size_t plen) { } return -1; } + +void sb_append_char(smartbuf *sb, unsigned char c) { + if (sb->idx >= sb->size) { + sb->size *= 2; + sb->ptr = realloc(sb->ptr, sb->size); + } + sb->ptr[sb->idx] = c; + sb->idx++; +} diff --git a/client/src/util.h b/client/src/util.h index 939e0a55d..616272c84 100644 --- a/client/src/util.h +++ b/client/src/util.h @@ -146,4 +146,11 @@ uint32_t leadingzeros32(uint32_t a); uint64_t leadingzeros64(uint64_t a); int byte_strstr(uint8_t *src, size_t srclen, uint8_t *pattern, size_t plen); + +struct smartbuf { + char *ptr; + size_t size; + size_t idx; +} typedef smartbuf; +void sb_append_char(smartbuf *sb, unsigned char c); #endif