coverity scan bug fixes

mfu keyNo buffer overflow mf reader attack key count reduced to not overrun c.d.asBytes buffer.
2025-07-30 11:38:38 -07:00 · 2017-06-06 12:12:18 -04:00 · 2017-06-06 12:12:18 -04:00 · 3d542a3dfa
commit 3d542a3dfa
parent c2ca50419d
3 changed files with 5 additions and 4 deletions
--- a/armsrc/iso14443a.c
+++ b/armsrc/iso14443a.c
@ -2418,8 +2418,8 @@ void Mifare1ksim(uint8_t flags, uint8_t exitAfterNReads, uint8_t arg2, uint8_t *
 	//Here, we collect UID,sector,keytype,NT,AR,NR,NT2,AR2,NR2
 	// This will be used in the reader-only attack.

-	//allow collecting up to 8 sets of nonces to allow recovery of up to 8 keys
-	#define ATTACK_KEY_COUNT 8 // keep same as define in cmdhfmf.c -> readerAttack()
+	//allow collecting up to 7 sets of nonces to allow recovery of up to 7 keys
+	#define ATTACK_KEY_COUNT 7 // keep same as define in cmdhfmf.c -> readerAttack() (Cannot be more than 7)
 	nonces_t ar_nr_resp[ATTACK_KEY_COUNT*2]; //*2 for 2 separate attack types (nml, moebius)
 	memset(ar_nr_resp, 0x00, sizeof(ar_nr_resp));

--- a/client/cmdhfmf.c
+++ b/client/cmdhfmf.c
@ -1120,7 +1120,8 @@ int CmdHF14AMfChk(const char *Cmd)
 }

 void readerAttack(nonces_t ar_resp[], bool setEmulatorMem, bool doStandardAttack) {
-	#define ATTACK_KEY_COUNT 8 // keep same as define in iso14443a.c -> Mifare1ksim()
+	#define ATTACK_KEY_COUNT 7 // keep same as define in iso14443a.c -> Mifare1ksim()
+	                           // cannot be more than 7 or it will overrun c.d.asBytes(512)
 	uint64_t key = 0;
 	typedef struct {
 			uint64_t keyA;
--- a/client/cmdhfmfu.c
+++ b/client/cmdhfmfu.c
@ -1474,7 +1474,7 @@ int CmdHF14AMfucAuth(const char *Cmd){
 	//Change key to user defined one
 	if (cmdp == 'k' || cmdp == 'K'){
 		keyNo = param_get8(Cmd, 1);
-		if(keyNo > KEYS_3DES_COUNT) 
+		if(keyNo > KEYS_3DES_COUNT-1) 
 			errors = true;
 	}