]> cvs.zerfleddert.de Git - proxmark3-svn/commitdiff
FIX: LEGIC - potential stack corruption calculating CRC from user input
authorAlexis Green <alexis@cessp.it>
Tue, 2 Aug 2016 21:10:33 +0000 (14:10 -0700)
committerAlexis Green <alexis@cessp.it>
Tue, 2 Aug 2016 21:10:33 +0000 (14:10 -0700)
client/cmdhflegic.c

index d55ea98d8907deccbe111a5a8d95e326425c2077..9168258122140048a1ec15156a2d4d18f302b60b 100644 (file)
@@ -570,23 +570,36 @@ int CmdLegicCalcCrc8(const char *Cmd){
        uint8_t cmdp = 0, uidcrc = 0, type=0;
        bool errors = false;
        int len = 0;
+       int bg, en;
        
        while(param_getchar(Cmd, cmdp) != 0x00) {
                switch(param_getchar(Cmd, cmdp)) {
                case 'b':
                case 'B':
+                       // peek at length of the input string so we can
+                       // figure out how many elements to malloc in "data"
+                       bg=en=0;
+                       param_getptr(Cmd, &bg, &en, cmdp+1);
+                       len = (en - bg + 1);
+
+                       // check that user entered even number of characters
+                       // for hex data string
+                       if (len & 1) {
+                               errors = true;
+                               break;
+                       }
+
                        // it's possible for user to accidentally enter "b" parameter
                        // more than once - we have to clean previous malloc
                        if (data) free(data);
-                       data = malloc(len);
+                       data = malloc(len >> 1);
                        if ( data == NULL ) {
                                PrintAndLog("Can't allocate memory. exiting");
                                errors = true;
                                break;
-                       }                       
-                       param_gethex_ex(Cmd, cmdp+1, data, &len);
-                       // if odd symbols, (hexbyte must be two symbols)
-                       if ( len & 1 ) errors = true;
+                       }
+                       
+                       param_gethex(Cmd, cmdp+1, data, len);
 
                        len >>= 1;      
                        cmdp += 2;
Impressum, Datenschutz