From 0655b6389e78fb6b1d89c6814bff5a7e2162b58c Mon Sep 17 00:00:00 2001 From: Jakub Kramarz Date: Thu, 8 May 2025 23:52:01 +0200 Subject: [PATCH 1/2] cmdhfseos: fix stack buffer overflow in select_DF_verify increased CMAC buffer size, otherwise memset in aes_cmac writes 16-bytes to 8-byte buffer --- client/src/cmdhfseos.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/src/cmdhfseos.c b/client/src/cmdhfseos.c index 6956f2f2c..a4dfbc2ac 100644 --- a/client/src/cmdhfseos.c +++ b/client/src/cmdhfseos.c @@ -562,7 +562,7 @@ static int select_DF_verify(uint8_t *response, uint8_t response_length, uint8_t } // ----------------- MAC Key Generation ----------------- - uint8_t cmac[8]; + uint8_t cmac[16]; uint8_t MAC_key[24] = {0x00}; memcpy(MAC_key, keys[key_index].privMacKey, 16); create_cmac(MAC_key, input, cmac, sizeof(input), encryption_algorithm); From 2163d781267d666ded70678ce62b9916665d8357 Mon Sep 17 00:00:00 2001 From: Jakub Kramarz Date: Fri, 9 May 2025 00:05:43 +0200 Subject: [PATCH 2/2] cmdhfseos: fix invalid memory access in select_DF_verify The real default key index in CmdHfSeosGDF passed to select_DF_verify was different than documented, resulting in out of bound read. --- client/src/cmdhfseos.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/src/cmdhfseos.c b/client/src/cmdhfseos.c index a4dfbc2ac..69b789d42 100644 --- a/client/src/cmdhfseos.c +++ b/client/src/cmdhfseos.c @@ -1351,7 +1351,7 @@ static int CmdHfSeosGDF(const char *Cmd) { }; CLIExecWithReturn(ctx, Cmd, argtable, true); - int key_index = arg_get_int_def(ctx, 1, -1); + int key_index = arg_get_int_def(ctx, 1, 0); CLIParserFree(ctx); return seos_global_df(key_index);