From 735136e6a33e4851127b45d373ea58f1710bd1f4 Mon Sep 17 00:00:00 2001 From: marshmellow42 Date: Sun, 14 Feb 2016 13:37:05 -0500 Subject: [PATCH 1/1] lf t55 bruteforce lots of resource leaks... plus strlen(Cmd) can never be less than 0 iceman1001 fixes... --- client/cmdlft55xx.c | 31 +++++++++++++++++++++++-------- client/cmdlfviking.c | 8 ++++---- 2 files changed, 27 insertions(+), 12 deletions(-) diff --git a/client/cmdlft55xx.c b/client/cmdlft55xx.c index 348cb229..5d797edc 100644 --- a/client/cmdlft55xx.c +++ b/client/cmdlft55xx.c @@ -1371,11 +1371,9 @@ int CmdT55xxBruteForce(const char *Cmd) { char buf[9]; char filename[FILE_PATH_SIZE]={0}; int keycnt = 0; + int ch; uint8_t stKeyBlock = 20; - uint8_t *keyBlock = NULL, *p; - keyBlock = calloc(stKeyBlock, 6); - if (keyBlock == NULL) return 1; - + uint8_t *keyBlock = NULL, *p = NULL; uint32_t start_password = 0x00000000; //start password uint32_t end_password = 0xFFFFFFFF; //end password bool found = false; @@ -1383,6 +1381,9 @@ int CmdT55xxBruteForce(const char *Cmd) { char cmdp = param_getchar(Cmd, 0); if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce(); + keyBlock = calloc(stKeyBlock, 6); + if (keyBlock == NULL) return 1; + if (cmdp == 'i' || cmdp == 'I') { int len = strlen(Cmd+2); @@ -1417,6 +1418,7 @@ int CmdT55xxBruteForce(const char *Cmd) { if (!p) { PrintAndLog("Cannot allocate memory for defaultKeys"); free(keyBlock); + fclose(f); return 2; } keyBlock = p; @@ -1431,6 +1433,7 @@ int CmdT55xxBruteForce(const char *Cmd) { if (keycnt == 0) { PrintAndLog("No keys found in file"); + free(keyBlock); return 1; } PrintAndLog("Loaded %d keys", keycnt); @@ -1440,8 +1443,10 @@ int CmdT55xxBruteForce(const char *Cmd) { for (uint16_t c = 0; c < keycnt; ++c ) { if (ukbhit()) { - getchar(); + ch = getchar(); + (void)ch; printf("\naborted via keyboard!\n"); + free(keyBlock); return 0; } @@ -1451,6 +1456,7 @@ int CmdT55xxBruteForce(const char *Cmd) { if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, testpwd)) { PrintAndLog("Aquireing data from device failed. Quitting"); + free(keyBlock); return 0; } @@ -1458,10 +1464,12 @@ int CmdT55xxBruteForce(const char *Cmd) { if ( found ) { PrintAndLog("Found valid password: [%08X]", testpwd); + free(keyBlock); return 0; } } PrintAndLog("Password NOT found."); + free(keyBlock); return 0; } @@ -1471,8 +1479,10 @@ int CmdT55xxBruteForce(const char *Cmd) { start_password = param_get32ex(Cmd, 0, 0, 16); end_password = param_get32ex(Cmd, 1, 0, 16); - if ( start_password >= end_password ) return usage_t55xx_bruteforce(); - + if ( start_password >= end_password ) { + free(keyBlock); + return usage_t55xx_bruteforce(); + } PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password); uint32_t i = start_password; @@ -1482,13 +1492,16 @@ int CmdT55xxBruteForce(const char *Cmd) { printf("."); fflush(stdout); if (ukbhit()) { - getchar(); + ch = getchar(); + (void)ch; printf("\naborted via keyboard!\n"); + free(keyBlock); return 0; } if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, TRUE, i)) { PrintAndLog("Aquireing data from device failed. Quitting"); + free(keyBlock); return 0; } found = tryDetectModulation(); @@ -1503,6 +1516,8 @@ int CmdT55xxBruteForce(const char *Cmd) { PrintAndLog("Found valid password: [%08x]", i); else PrintAndLog("Password NOT found. Last tried: [%08x]", --i); + + free(keyBlock); return 0; } diff --git a/client/cmdlfviking.c b/client/cmdlfviking.c index 8c0656d2..5c0e590c 100644 --- a/client/cmdlfviking.c +++ b/client/cmdlfviking.c @@ -66,7 +66,7 @@ int CmdVikingClone(const char *Cmd) { uint64_t rawID = 0; bool Q5 = false; char cmdp = param_getchar(Cmd, 0); - if (strlen(Cmd) < 0 || cmdp == 'h' || cmdp == 'H') return usage_lf_viking_clone(); + if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_lf_viking_clone(); id = param_get32ex(Cmd, 0, 0, 16); if (id == 0) return usage_lf_viking_clone(); @@ -74,8 +74,8 @@ int CmdVikingClone(const char *Cmd) { Q5 = true; rawID = getVikingBits(id); - PrintAndLog("Cloning - ID: %08X, Raw: %08X%08X",id,(uint32_t)(rawID >> 32),(uint32_t) (rawID & 0xFFFFFFFF)); - UsbCommand c = {CMD_VIKING_CLONE_TAG,{rawID >> 32, rawID & 0xFFFFFFFF, Q5}}; + + UsbCommand c = {CMD_VIKING_CLONE_TAG,{rawID >> 32, rawID & 0xFFFF, Q5}}; clearCommandBuffer(); SendCommand(&c); //check for ACK @@ -89,7 +89,7 @@ int CmdVikingSim(const char *Cmd) { uint8_t clk = 32, encoding = 1, separator = 0, invert = 0; char cmdp = param_getchar(Cmd, 0); - if (strlen(Cmd) < 0 || cmdp == 'h' || cmdp == 'H') return usage_lf_viking_sim(); + if (strlen(Cmd) == 0 || cmdp == 'h' || cmdp == 'H') return usage_lf_viking_sim(); id = param_get32ex(Cmd, 0, 0, 16); if (id == 0) return usage_lf_viking_sim(); -- 2.39.5