crewID/libfreefare
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Prevent mifare_desfire_read_data() overflow.

Browse source 
Depending on the communication settings, mifare_desfire_read_data() may
write more than the provided "length" bytes to the "data" buffer,
possibly causing data corruption or crashes if no special care is taken.

Since the test suite is precisely a "no special care is taken" example,
assume only "length" bytes can be written to the "data" buffer and rely
on a temporary buffer for cryptographic operations.

Fixes  issue 28.
This commit is contained in:
Romain Tartière 2014-04-16 01:54:14 +02:00
parent 8290d3d8cc
commit 57e1fceb6b
3 changed files with 39 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

7
test/test_mifare_desfire_ev1.c
View file

@ -122,6 +122,13 @@ test_mifare_desfire_ev1_aes2 (void)
cut_assert_success ("mifare_desfire_read_data");
cut_assert_equal_memory (buffer, res, sample_data, 27, cut_message ("AES crypto failed"));
char canaries[] = "Canaries Canaries Canaries Canaries Canaries";
res = mifare_desfire_read_data_ex (tag, 1, 0, 1, canaries, MDCM_MACED);
cut_assert_success ("mifare_desfire_read_data");
cut_assert_equal_int (1, res, cut_message ("Reading 1 byte should return 1 byte"));
cut_assert_equal_memory (canaries, 44, "Hanaries Canaries Canaries Canaries Canaries", 44, cut_message ("Canaries got smashed!"));
uint8_t s, c;
res = mifare_desfire_get_key_settings (tag, &s, &c);
cut_assert_success ("mifare_desfire_get__key_settings");