From e0eeafe27f91aff369739edf96ae9428a33aedb8 Mon Sep 17 00:00:00 2001 From: mwalker33 <51802811+mwalker33@users.noreply.github.com> Date: Fri, 2 Sep 2022 22:35:48 +1000 Subject: [PATCH 1/9] mdu ndef error Patch to stop buffer overflow on ndef read from card Typo fix in change log. --- CHANGELOG.md | 3 ++- client/src/cmdhfmfu.c | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c99a941f5..8e846aa05 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,8 @@ All notable changes to this project will be documented in this file. This project uses the changelog in accordance with [keepchangelog](http://keepachangelog.com/). Please use this to write notable changes, which is not the same as git commit log... ## [unreleased][unreleased] - - Changed spiffs write/apped to send in 8192 chucks to ensure its eraised (@mwalker) + - Fixed buffer overflow in mfu ndef decode (@mwalker) + - Changed spiffs write/append to send in 8192 chunks to ensure its eraised (@mwalker) - Fixed spiffs dump to ensure to fails correctly if no big_buff was allocated (@mwalker) - Change Client Makefile to respect global flags (@blshkv) - Change Makefile, honors global CC values (@blshkv) diff --git a/client/src/cmdhfmfu.c b/client/src/cmdhfmfu.c index 2f6e18a53..a1ee42306 100644 --- a/client/src/cmdhfmfu.c +++ b/client/src/cmdhfmfu.c @@ -4027,6 +4027,9 @@ int CmdHF14MfuNDEFRead(const char *Cmd) { } } + // The following read will read in blocks of 16 bytes. + // ensure maxsize is rounded up to a multiple of 16 + maxsize = maxsize + (16 - (maxsize % 16)); // allocate mem uint8_t *records = calloc(maxsize, sizeof(uint8_t)); if (records == NULL) { From de40ae1f051f8dc00e55e1fd2bce1f608f8c478c Mon Sep 17 00:00:00 2001 From: Builderhummel Date: Fri, 2 Sep 2022 14:47:12 +0200 Subject: [PATCH 2/9] Fix Typo "form" to "from" Signed-off-by: Builderhummel --- armsrc/Standalone/hf_legicsim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/armsrc/Standalone/hf_legicsim.c b/armsrc/Standalone/hf_legicsim.c index 7bb27fe8a..7765672b0 100644 --- a/armsrc/Standalone/hf_legicsim.c +++ b/armsrc/Standalone/hf_legicsim.c @@ -111,7 +111,7 @@ void RunMod(void) { //Indicate which card will be simulated LED(i, 0); - //Try to load dump form flash + //Try to load dump from flash sprintf(cur_dump_file, HF_LEGICSIM_DUMPFILE_SIM, i); Dbprintf(_YELLOW_("[Slot: %d] Try to load dump file: %s"), i, cur_dump_file); if (!fill_eml_from_file(cur_dump_file)) { From 0f96bcff0570936c3a6c480214784240a9787cfe Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 3 Sep 2022 10:31:08 +0200 Subject: [PATCH 3/9] CID 398740, init a struct --- client/src/cmdhficlass.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/client/src/cmdhficlass.c b/client/src/cmdhficlass.c index e920f9f5d..b4c9d934b 100644 --- a/client/src/cmdhficlass.c +++ b/client/src/cmdhficlass.c @@ -664,14 +664,15 @@ static int CmdHFiClassSniff(const char *Cmd) { PrintAndLogEx(INFO, "Sniff with jam of iCLASS e-purse updates..."); } - const uint8_t update_epurse_sequence[2] = {0x87, 0x02}; - struct { uint8_t jam_search_len; uint8_t jam_search_string[2]; } PACKED payload; + memset(&payload, 0, sizeof(payload)); + if (jam_epurse_update) { + const uint8_t update_epurse_sequence[2] = {0x87, 0x02}; payload.jam_search_len = sizeof(update_epurse_sequence); memcpy(payload.jam_search_string, update_epurse_sequence, sizeof(payload.jam_search_string)); } From eaebf469613bf917aa253f66a7de9de9639b8c05 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 3 Sep 2022 10:34:52 +0200 Subject: [PATCH 4/9] CID 398739 , init of array w structs --- client/src/cmddata.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/client/src/cmddata.c b/client/src/cmddata.c index 02138b9ca..8020b7220 100644 --- a/client/src/cmddata.c +++ b/client/src/cmddata.c @@ -2767,13 +2767,19 @@ static int print_modulation(lf_modulation_t b) { static int try_detect_modulation(void) { - lf_modulation_t tests[6]; +#define LF_NUM_OF_TESTS 6 + + lf_modulation_t tests[LF_NUM_OF_TESTS]; + for (int i=0; i< ARRAYLEN(tests); i++) { + memset(&tests[i], 0, sizeof(lf_modulation_t)); + } + int clk = 0, firstClockEdge = 0; - uint8_t hits = 0, ans = 0; - uint8_t fc1 = 0, fc2 = 0; + uint8_t hits = 0, fc1 = 0, fc2 = 0; bool st = false; - ans = fskClocks(&fc1, &fc2, (uint8_t *)&clk, &firstClockEdge); + + uint8_t ans = fskClocks(&fc1, &fc2, (uint8_t *)&clk, &firstClockEdge); if (ans && ((fc1 == 10 && fc2 == 8) || (fc1 == 8 && fc2 == 5))) { From 1525a0059aced44bcecc1e6ac6bea42ee823ac8c Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 3 Sep 2022 11:14:33 +0200 Subject: [PATCH 5/9] fix #1771 - no default block size in call --- armsrc/Standalone/hf_tmudford.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/armsrc/Standalone/hf_tmudford.c b/armsrc/Standalone/hf_tmudford.c index 158250a0c..a945a49ec 100644 --- a/armsrc/Standalone/hf_tmudford.c +++ b/armsrc/Standalone/hf_tmudford.c @@ -75,7 +75,8 @@ void RunMod(void) { } else if (state == STATE_EMUL) { Iso15693InitTag(); Dbprintf("Starting simulation, press pm3-button to stop and go back to search state."); - SimTagIso15693(card.uid); + // default block size is 4 + SimTagIso15693(card.uid, 4); state = STATE_READ; } From fccb398aeaff1fcbca6e436e01b7ea8b98915559 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 3 Sep 2022 11:22:33 +0200 Subject: [PATCH 6/9] vanity url should work again --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5747d3d9f..0738cd144 100644 --- a/README.md +++ b/README.md @@ -200,7 +200,7 @@ The official PM3-GUI from Gaucho will not work. Not to mention is quite old and ## Official channels Where do you find the community? - - [RFID Hacking community discord server](https://discord.gg/xEvexdKmpF) + - [RFID Hacking community discord server](https://discord.gg/iceman) - [Proxmark3 IRC channel](https://web.libera.chat/?channels=#proxmark3) - [Proxmark3 sub reddit](https://www.reddit.com/r/proxmark3/) - [Proxmark3 forum](http://www.proxmark.org/forum/index.php) From 1a3aa7eb025e53260380695107a4ee9efa8be9c5 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 3 Sep 2022 11:23:01 +0200 Subject: [PATCH 7/9] missing var --- client/src/cmdhf15.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/src/cmdhf15.c b/client/src/cmdhf15.c index 0d25e38f9..f08d7f764 100644 --- a/client/src/cmdhf15.c +++ b/client/src/cmdhf15.c @@ -1080,7 +1080,7 @@ static int CmdHF15ELoad(const char *Cmd) { int tosend = MIN(chuncksize, bytes_read); if (hf15EmlSetMem(data + offset, tosend, offset) != PM3_SUCCESS) { - PrintAndLogEx(FAILED, "Can't set emulator memory at offest: %zu / 0x%zx", offset); + PrintAndLogEx(FAILED, "Can't set emulator memory at offest: %zu / 0x%zx", offset, offset); free(data); return PM3_ESOFT; } From 7a831fc94e8d8ee44cdf02eb3c321b95f2129041 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sat, 3 Sep 2022 11:23:44 +0200 Subject: [PATCH 8/9] CID 398738, missing init --- client/src/cmdlfhid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/client/src/cmdlfhid.c b/client/src/cmdlfhid.c index d25c06811..4b6c69698 100644 --- a/client/src/cmdlfhid.c +++ b/client/src/cmdlfhid.c @@ -81,6 +81,7 @@ static int sendTry(uint8_t format_idx, wiegand_card_t *card, uint32_t delay, boo } lf_hidsim_t payload; + payload.Q5 = false; payload.hi2 = packed.Top; payload.hi = packed.Mid; payload.lo = packed.Bot; @@ -483,7 +484,7 @@ static int CmdHIDBrute(const char *Cmd) { void *argtable[] = { arg_param_begin, - arg_lit0("v", "verbose", "verbose logging, show all tries"), + arg_lit0("v", "verbose", "verbose output"), arg_str1("w", "wiegand", "", "see " _YELLOW_("`wiegand list`") " for available formats"), arg_u64_0(NULL, "fc", "", "facility code"), arg_u64_0(NULL, "cn", "", "card number to start with"), From d76284aa8d2d49a9f30a5888c3e456ab039ed0b8 Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 4 Sep 2022 13:58:49 +0200 Subject: [PATCH 9/9] style --- armsrc/mifarecmd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/armsrc/mifarecmd.c b/armsrc/mifarecmd.c index c7afb3a75..ce4b14631 100644 --- a/armsrc/mifarecmd.c +++ b/armsrc/mifarecmd.c @@ -887,9 +887,9 @@ void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, break; } - if (!have_uid) { // need a full select cycle to get the uid first + if (have_uid == false) { // need a full select cycle to get the uid first iso14a_card_select_t card_info; - if (!iso14443a_select_card(uid, &card_info, &cuid, true, 0, true)) { + if (iso14443a_select_card(uid, &card_info, &cuid, true, 0, true) == 0) { if (g_dbglevel >= DBG_ERROR) Dbprintf("AcquireEncryptedNonces: Can't select card (ALL)"); continue; } @@ -908,7 +908,7 @@ void MifareAcquireEncryptedNonces(uint32_t arg0, uint32_t arg1, uint32_t flags, } have_uid = true; } else { // no need for anticollision. We can directly select the card - if (!iso14443a_fast_select_card(uid, cascade_levels)) { + if (iso14443a_fast_select_card(uid, cascade_levels) == 0) { if (g_dbglevel >= DBG_ERROR) Dbprintf("AcquireEncryptedNonces: Can't select card (UID)"); continue; }