crewID/libnfc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix out-of-bounds access in driver acr122_pcsc

Browse source 
Problem reported by Coverity:
CID 1091328 (#1 of 1): Out-of-bounds access (OVERRUN)
  overrun-buffer-arg: Overrunning buffer pointed to by "&abtTxBuf[6]" of 271 bytes by passing it to a function which accesses it at byte offset 271 using argument "szData" (which evaluates to 266).
This commit is contained in:
Philippe Teuwen 2013-09-22 01:47:15 +02:00
parent d9b531f50f
commit d9854cfdd9
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
libnfc/drivers/acr122_pcsc.c
View file

@ -80,7 +80,7 @@
#define FIRMWARE_TEXT "ACR122U" // Tested on: ACR122U101(ACS), ACR122U102(Tikitag), ACR122U203(ACS)
#define ACR122_PCSC_WRAP_LEN 5
#define ACR122_PCSC_WRAP_LEN 6
#define ACR122_PCSC_COMMAND_LEN 266
#define ACR122_PCSC_RESPONSE_LEN 268
@ -339,7 +339,7 @@ acr122_pcsc_send(nfc_device *pnd, const uint8_t *pbtData, const size_t szData, i
// Prepare and transmit the send buffer
const size_t szTxBuf = szData + 6;
uint8_t abtTxBuf[ACR122_PCSC_WRAP_LEN + ACR122_PCSC_COMMAND_LEN] = { 0xFF, 0x00, 0x00, 0x00, szData + 1, 0xD4 };
memcpy(abtTxBuf + 6, pbtData, szData);
memcpy(abtTxBuf + ACR122_PCSC_WRAP_LEN, pbtData, szData);
LOG_HEX(NFC_LOG_GROUP_COM, "TX", abtTxBuf, szTxBuf);
DRIVER_DATA(pnd)->szRx = 0;