dandri/proxmark3
1
0
Fork 0
mirror of https://github.com/RfidResearchGroup/proxmark3.git synced 2026-03-29 12:49:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix mac_input_idx to possible overflow u8, and some sanity checks that what we got doesnt overflow when we copy it into cmac calcs

Browse Source
This commit is contained in:
iceman1001
2026-03-24 12:56:26 +07:00
parent 0cde6ee075
commit 98552b54dc
1 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
armsrc/seos.c
View File

@@ -276,6 +276,7 @@ void SimulateSeos(seos_emulate_req_t *msg) {
if (odd_reply) {
p_response = &responses[RESP_INDEX_ATQA];
}
} else if (receivedCmd[0] == ISO14443A_CMD_WUPA && len == 1) { // Received a WAKEUP
p_response = &responses[RESP_INDEX_ATQA];
} else if (receivedCmd[1] == 0x20 && receivedCmd[0] == ISO14443A_CMD_ANTICOLL_OR_SELECT && len == 2) { // Received request for UID (cascade 1)
@@ -301,6 +302,7 @@ void SimulateSeos(seos_emulate_req_t *msg) {
p_response = &responses[RESP_INDEX_ATS];
got_rats = true;
} else {
// clear old dynamic responses
dynamic_response_info.response_n = 0;
dynamic_response_info.modulation_n = 0;
@@ -656,13 +658,17 @@ void SimulateSeos(seos_emulate_req_t *msg) {
memcpy(rndCounter, RND_ICC, half_bs);
memcpy(rndCounter + half_bs, RND_IFD, half_bs);
// skip zero bytes
for (int8_t i = bs - 1; i >= 0; i--) {
rndCounter[i]++;
if (rndCounter[i] != 0x00) break;
if (rndCounter[i]) {
break;
}
}
uint8_t *mac_input = work_buffer_a;
uint8_t mac_input_idx = 0;
uint16_t mac_input_idx = 0;
// Add RND_* counter to mac_input
memcpy(mac_input + mac_input_idx, rndCounter, bs);
@@ -676,6 +682,10 @@ void SimulateSeos(seos_emulate_req_t *msg) {
mac_input_idx += bs;
// Add received TLV data to mac_input
if (mac_input_idx + recvd_cmac_offset + bs > WORK_BUFFER_SIZE) {
Dbprintf(_RED_("Get Data failed") ": CMAC input too large.");
break;
}
memcpy(mac_input + mac_input_idx, received_tlv, recvd_cmac_offset);
mac_input_idx += recvd_cmac_offset;
@@ -770,6 +780,10 @@ void SimulateSeos(seos_emulate_req_t *msg) {
memcpy(mac_input + mac_input_idx, rndCounter, bs);
mac_input_idx += bs;
if (mac_input_idx + (tlv_idx - tlv_base) + bs > WORK_BUFFER_SIZE) {
Dbprintf(_RED_("Get Data failed") ": Reply CMAC input too large.");
break;
}
memcpy(mac_input + mac_input_idx, dynamic_response_info.response + tlv_base, tlv_idx - tlv_base);
mac_input_idx += tlv_idx - tlv_base;