github/RRG-Proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2025-08-20 05:13:46 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

fix: stack corruptions. keep it simple. (coverty scan 170498, 170497, 170496)

Browse source
This commit is contained in:
iceman1001 2017-09-05 10:10:24 +02:00
commit f21555b1b2
2 changed files with 30 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

4
armsrc/iso14443a.c
View file

@ -1829,13 +1829,13 @@ int iso14443a_select_card(byte_t *uid_ptr, iso14a_card_select_t *p_card, uint32_
if(p_card) { if(p_card) {
memcpy(p_card->atqa, resp, 2); memcpy(p_card->atqa, resp, 2);
p_card->uidlen = 0; p_card->uidlen = 0;
memset(p_card->uid,0,10); memset(p_card->uid, 0, 10);
} }
if (anticollision) { if (anticollision) {
// clear uid // clear uid
if (uid_ptr) if (uid_ptr)
memset(uid_ptr,0,10); memset(uid_ptr, 0, 10);
} }
// reset the PCB block number // reset the PCB block number

56
armsrc/iso15693.c
View file

@ -72,6 +72,9 @@
// 32 + 2 crc + 1 // 32 + 2 crc + 1
#define ISO15_MAX_FRAME 35 #define ISO15_MAX_FRAME 35
#define CMD_ID_RESP 5
#define CMD_READ_RESP 13
#define CMD_INV_RESP 12
#define FrameSOF Iso15693FrameSOF #define FrameSOF Iso15693FrameSOF
#define Logic0 Iso15693Logic0 #define Logic0 Iso15693Logic0
@ -84,9 +87,9 @@
int DEBUG = 0; int DEBUG = 0;
static uint8_t BuildIdentifyRequest(uint8_t **cmdout); static void BuildIdentifyRequest(uint8_t *cmdout);
//static uint8_t BuildReadBlockRequest(uint8_t **cmdout, uint8_t *uid, uint8_t blockNumber ); //static void BuildReadBlockRequest(uint8_t *cmdout, uint8_t *uid, uint8_t blockNumber );
static uint8_t BuildInventoryResponse(uint8_t **cmdout, uint8_t *uid); static void BuildInventoryResponse(uint8_t *cmdout, uint8_t *uid);
// --------------------------- // ---------------------------
// Signal Processing // Signal Processing
@ -540,8 +543,8 @@ void AcquireRawAdcSamplesIso15693(void) {
uint8_t *buf = BigBuf_get_addr(); uint8_t *buf = BigBuf_get_addr();
uint32_t time_start = GetCountSspClk(); uint32_t time_start = GetCountSspClk();
uint8_t *cmd = NULL; uint8_t cmd[CMD_ID_RESP] = {0};
uint8_t cmdlen = BuildIdentifyRequest( &cmd); BuildIdentifyRequest(cmd);
// sending command // sending command
c = 0; c = 0;
@ -561,7 +564,7 @@ void AcquireRawAdcSamplesIso15693(void) {
} }
LogTrace(cmd, cmdlen, time_start << 4, (GetCountSspClk() - time_start) << 4, NULL, true); LogTrace(cmd, CMD_ID_RESP, time_start << 4, (GetCountSspClk() - time_start) << 4, NULL, true);
FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR); FpgaWriteConfWord(FPGA_MAJOR_MODE_HF_READER_RX_XCORR);
@ -682,8 +685,7 @@ void Iso15693InitReader(void) {
// Encode (into the ToSend buffers) an identify request, which is the first // Encode (into the ToSend buffers) an identify request, which is the first
// thing that you must send to a tag to get a response. // thing that you must send to a tag to get a response.
static uint8_t BuildIdentifyRequest(uint8_t **out) { static void BuildIdentifyRequest(uint8_t *out) {
#define CMD_ID_RESP 5
uint8_t cmd[CMD_ID_RESP] = {0, ISO15_CMD_INVENTORY, 0, 0, 0}; uint8_t cmd[CMD_ID_RESP] = {0, ISO15_CMD_INVENTORY, 0, 0, 0};
// flags // flags
@ -696,15 +698,12 @@ static uint8_t BuildIdentifyRequest(uint8_t **out) {
cmd[4] = crc >> 8; cmd[4] = crc >> 8;
// coding as high speed (1 out of 4) // coding as high speed (1 out of 4)
CodeIso15693AsReader(cmd, CMD_ID_RESP); CodeIso15693AsReader(cmd, CMD_ID_RESP);
*out = cmd; memcpy(out, cmd, CMD_ID_RESP);
return CMD_ID_RESP;
} }
// uid is in transmission order (which is reverse of display order) // uid is in transmission order (which is reverse of display order)
/* /*
static uint8_t BuildReadBlockRequest(uint8_t **out, uint8_t *uid, uint8_t blockNumber ) { static void BuildReadBlockRequest(uint8_t **out, uint8_t *uid, uint8_t blockNumber ) {
#define CMD_READ_RESP 13
uint8_t cmd[CMD_READ_RESP] = {0,0,0,0,0,0,0,0,0,0,0,0,0}; uint8_t cmd[CMD_READ_RESP] = {0,0,0,0,0,0,0,0,0,0,0,0,0};
// If we set the Option_Flag in this request, the VICC will respond with the secuirty status of the block // If we set the Option_Flag in this request, the VICC will respond with the secuirty status of the block
// followed by teh block data // followed by teh block data
@ -730,14 +729,12 @@ static uint8_t BuildReadBlockRequest(uint8_t **out, uint8_t *uid, uint8_t blockN
cmd[12] = crc >> 8; cmd[12] = crc >> 8;
CodeIso15693AsReader(cmd, CMD_READ_RESP); CodeIso15693AsReader(cmd, CMD_READ_RESP);
*out = cmd; memcpy(out, cmd, CMD_ID_RESP);
return CMD_READ_RESP;
} }
*/ */
// Now the VICC>VCD responses when we are simulating a tag // Now the VICC>VCD responses when we are simulating a tag
static uint8_t BuildInventoryResponse(uint8_t **out, uint8_t *uid) { static void BuildInventoryResponse(uint8_t *out, uint8_t *uid) {
#define CMD_INV_RESP 12
uint8_t cmd[CMD_INV_RESP] = {0,0,0,0,0,0,0,0,0,0,0,0}; uint8_t cmd[CMD_INV_RESP] = {0,0,0,0,0,0,0,0,0,0,0,0};
@ -761,8 +758,7 @@ static uint8_t BuildInventoryResponse(uint8_t **out, uint8_t *uid) {
cmd[11] = crc >> 8; cmd[11] = crc >> 8;
CodeIso15693AsReader(cmd, CMD_INV_RESP); CodeIso15693AsReader(cmd, CMD_INV_RESP);
*out = cmd; memcpy(out, cmd, CMD_ID_RESP);
return CMD_INV_RESP;
} }
// Universal Method for sending to and recv bytes from a tag // Universal Method for sending to and recv bytes from a tag
@ -905,10 +901,10 @@ void ReaderIso15693(uint32_t parameter) {
// FIRST WE RUN AN INVENTORY TO GET THE TAG UID // FIRST WE RUN AN INVENTORY TO GET THE TAG UID
// THIS MEANS WE CAN PRE-BUILD REQUESTS TO SAVE CPU TIME // THIS MEANS WE CAN PRE-BUILD REQUESTS TO SAVE CPU TIME
uint32_t time_start = GetCountSspClk(); uint32_t time_start = GetCountSspClk();
uint8_t *cmd = NULL; uint8_t cmd[CMD_ID_RESP] = {0};
uint8_t cmdlen = BuildIdentifyRequest( &cmd ); BuildIdentifyRequest( cmd );
TransmitTo15693Tag(ToSend, ToSendMax, &tsamples, &wait); TransmitTo15693Tag(ToSend, ToSendMax, &tsamples, &wait);
LogTrace(cmd, cmdlen, time_start << 4, (GetCountSspClk() - time_start) << 4, NULL, true); LogTrace(cmd, CMD_ID_RESP, time_start << 4, (GetCountSspClk() - time_start) << 4, NULL, true);
// Now wait for a response // Now wait for a response
answerLen1 = GetIso15693AnswerFromTag(answer1, &elapsed) ; answerLen1 = GetIso15693AnswerFromTag(answer1, &elapsed) ;
@ -995,8 +991,8 @@ void SimTagIso15693(uint32_t parameter, uint8_t *uid) {
// Build a suitable reponse to the reader INVENTORY cocmmand // Build a suitable reponse to the reader INVENTORY cocmmand
// not so obsvious, but in the call to BuildInventoryResponse, the command is copied to the global ToSend buffer used below. // not so obsvious, but in the call to BuildInventoryResponse, the command is copied to the global ToSend buffer used below.
uint8_t *cmd = NULL; uint8_t cmd[CMD_INV_RESP] = {0};
uint8_t cmdlen = BuildInventoryResponse( &cmd, uid); BuildInventoryResponse(cmd, uid);
while (!BUTTON_PRESS() && !usb_poll_validate_length() ) { while (!BUTTON_PRESS() && !usb_poll_validate_length() ) {
WDT_HIT(); WDT_HIT();
@ -1009,7 +1005,7 @@ void SimTagIso15693(uint32_t parameter, uint8_t *uid) {
time_start = GetCountSspClk(); time_start = GetCountSspClk();
TransmitTo15693Reader(ToSend, ToSendMax, &tsamples, &wait); TransmitTo15693Reader(ToSend, ToSendMax, &tsamples, &wait);
LogTrace(cmd, cmdlen, time_start << 4, (GetCountSspClk() - time_start) << 4, NULL, true); LogTrace(cmd, CMD_INV_RESP, time_start << 4, (GetCountSspClk() - time_start) << 4, NULL, true);
Dbprintf("%d octets read from reader command: %x %x %x %x %x %x %x %x %x", ans, Dbprintf("%d octets read from reader command: %x %x %x %x %x %x %x %x %x", ans,
buf[0], buf[1], buf[2], buf[3], buf[0], buf[1], buf[2], buf[3],
@ -1024,6 +1020,8 @@ void SimTagIso15693(uint32_t parameter, uint8_t *uid) {
void BruteforceIso15693Afi(uint32_t speed) { void BruteforceIso15693Afi(uint32_t speed) {
uint8_t data[7] = {0,0,0,0,0,0,0}; uint8_t data[7] = {0,0,0,0,0,0,0};
uint8_t buf[ISO15_MAX_FRAME];
memset(buf, 0x00, sizeof(buf));
int datalen = 0, recvlen = 0; int datalen = 0, recvlen = 0;
Iso15693InitReader(); Iso15693InitReader();
@ -1036,12 +1034,12 @@ void BruteforceIso15693Afi(uint32_t speed) {
data[2] = 0; // mask length data[2] = 0; // mask length
datalen = AddCrc(data, 3); datalen = AddCrc(data, 3);
recvlen = SendDataTag(data, datalen, false, speed, data); recvlen = SendDataTag(data, datalen, false, speed, buf);
WDT_HIT(); WDT_HIT();
if (recvlen >= 12) { if (recvlen >= 12) {
Dbprintf("NoAFI UID=%s", sprintUID(NULL, data + 2) ); Dbprintf("NoAFI UID = %s", sprintUID(NULL, buf + 2) );
} }
// now with AFI // now with AFI
@ -1053,10 +1051,10 @@ void BruteforceIso15693Afi(uint32_t speed) {
for (int i = 0; i < 256; i++) { for (int i = 0; i < 256; i++) {
data[2] = i & 0xFF; data[2] = i & 0xFF;
datalen = AddCrc(data, 4); datalen = AddCrc(data, 4);
recvlen = SendDataTag(data, datalen, false, speed, data); recvlen = SendDataTag(data, datalen, false, speed, buf);
WDT_HIT(); WDT_HIT();
if (recvlen >= 12) { if (recvlen >= 12) {
Dbprintf("AFI=%i UID=%s", i, sprintUID(NULL, data + 2) ); Dbprintf("AFI = %i UID = %s", i, sprintUID(NULL, buf + 2) );
} }
} }