From 8ea5706047cb0f6e7bd9f04306249d6a349c2239 Mon Sep 17 00:00:00 2001 From: marshmellow42 Date: Sun, 14 Feb 2016 13:24:03 -0500 Subject: [PATCH 1/1] additional memory leaks, overflow and unchecked ... return values fixed thanks to iceman1001 --- client/cmdhfmf.c | 15 +++++++++++---- client/util.c | 7 ++++--- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 21c0cde2..d306ac65 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -875,6 +875,7 @@ int CmdHF14AMfChk(const char *Cmd) break; default: PrintAndLog("Key type must be A , B or ?"); + free(keyBlock); return 1; }; @@ -926,6 +927,7 @@ int CmdHF14AMfChk(const char *Cmd) if (!p) { PrintAndLog("Cannot allocate memory for defKeys"); free(keyBlock); + fclose(f); return 2; } keyBlock = p; @@ -1219,7 +1221,7 @@ int CmdHF14AMfELoad(const char *Cmd) if (numblk2 > 0) numBlocks = numblk2; len = param_getstr(Cmd,nameParamNo,filename); - if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4; + if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5; fnameptr += len; @@ -1316,7 +1318,7 @@ int CmdHF14AMfESave(const char *Cmd) len = param_getstr(Cmd,nameParamNo,filename); - if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4; + if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5; // user supplied filename? if (len < 1) { @@ -1593,7 +1595,7 @@ int CmdHF14AMfCLoad(const char *Cmd) return 0; } else { len = strlen(Cmd); - if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4; + if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5; memcpy(filename, Cmd, len); fnameptr += len; @@ -1762,7 +1764,7 @@ int CmdHF14AMfCSave(const char *Cmd) { return 0; } else { len = strlen(Cmd); - if (len > FILE_PATH_SIZE - 4) len = FILE_PATH_SIZE - 4; + if (len > FILE_PATH_SIZE - 5) len = FILE_PATH_SIZE - 5; // get filename based on UID if (len < 1) { @@ -1906,6 +1908,11 @@ int CmdHF14AMfSniff(const char *Cmd){ bufsize = traceLen; memset(buf, 0x00, traceLen); } + if (bufPtr == NULL) { + PrintAndLog("Cannot allocate memory for trace"); + free(buf); + return 2; + } memcpy(bufPtr, resp.d.asBytes, len); bufPtr += len; pckNum++; diff --git a/client/util.c b/client/util.c index c4f7d200..e5cbc4aa 100644 --- a/client/util.c +++ b/client/util.c @@ -23,7 +23,7 @@ int ukbhit(void) static struct termios Otty, Ntty; - tcgetattr( 0, &Otty); + if ( tcgetattr( 0, &Otty) == -1 ) return -1; Ntty = Otty; Ntty.c_iflag = 0; /* input mode */ @@ -140,8 +140,9 @@ char *sprint_bin_break(const uint8_t *data, const size_t len, const uint8_t brea size_t in_index = 0; // loop through the out_index to make sure we don't go too far for (size_t out_index=0; out_index < max_len; out_index++) { - // set character - sprintf(tmp++, "%u", data[in_index]); + // set character - (should be binary but verify it isn't more than 1 digit) + if (data[in_index]<10) + sprintf(tmp++, "%u", data[in_index]); // check if a line break is needed and we have room to print it in our array if ( (breaks > 0) && !((in_index+1) % breaks) && (out_index+1 != max_len) ) { // increment and print line break -- 2.39.5