From d9854cfdd9e5515568949ef67a989d68fc954cdf Mon Sep 17 00:00:00 2001 From: Philippe Teuwen Date: Sun, 22 Sep 2013 01:47:15 +0200 Subject: [PATCH] Fix out-of-bounds access in driver acr122_pcsc Problem reported by Coverity: CID 1091328 (#1 of 1): Out-of-bounds access (OVERRUN) overrun-buffer-arg: Overrunning buffer pointed to by "&abtTxBuf[6]" of 271 bytes by passing it to a function which accesses it at byte offset 271 using argument "szData" (which evaluates to 266). --- libnfc/drivers/acr122_pcsc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libnfc/drivers/acr122_pcsc.c b/libnfc/drivers/acr122_pcsc.c index f3b4d9a..6d7c9e6 100644 --- a/libnfc/drivers/acr122_pcsc.c +++ b/libnfc/drivers/acr122_pcsc.c @@ -80,7 +80,7 @@ #define FIRMWARE_TEXT "ACR122U" // Tested on: ACR122U101(ACS), ACR122U102(Tikitag), ACR122U203(ACS) -#define ACR122_PCSC_WRAP_LEN 5 +#define ACR122_PCSC_WRAP_LEN 6 #define ACR122_PCSC_COMMAND_LEN 266 #define ACR122_PCSC_RESPONSE_LEN 268 @@ -339,7 +339,7 @@ acr122_pcsc_send(nfc_device *pnd, const uint8_t *pbtData, const size_t szData, i // Prepare and transmit the send buffer const size_t szTxBuf = szData + 6; uint8_t abtTxBuf[ACR122_PCSC_WRAP_LEN + ACR122_PCSC_COMMAND_LEN] = { 0xFF, 0x00, 0x00, 0x00, szData + 1, 0xD4 }; - memcpy(abtTxBuf + 6, pbtData, szData); + memcpy(abtTxBuf + ACR122_PCSC_WRAP_LEN, pbtData, szData); LOG_HEX(NFC_LOG_GROUP_COM, "TX", abtTxBuf, szTxBuf); DRIVER_DATA(pnd)->szRx = 0;