From d23f3f2c9a0680d925f9282e535e60fcaed94a4a Mon Sep 17 00:00:00 2001 From: iceman1001 Date: Sun, 24 May 2015 21:50:15 +0200 Subject: [PATCH] FIX: ELOAD/ESAVE/CLOAD/CSAVE filename bufferoverflow, and filename generation if UID not readable. Thanks @p-l- ref: https://github.com/Proxmark/proxmark3/commit/0b14440dce5d879fed70afb455b1f7c56ee85b1e --- client/cmdhfmf.c | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/client/cmdhfmf.c b/client/cmdhfmf.c index 676a8884..f486fc25 100644 --- a/client/cmdhfmf.c +++ b/client/cmdhfmf.c @@ -1200,9 +1200,9 @@ int CmdHF14AMfELoad(const char *Cmd) len = param_getstr(Cmd,nameParamNo,filename); - if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; + if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4; - fnameptr += len-4; + fnameptr += len; sprintf(fnameptr, ".eml"); @@ -1299,19 +1299,22 @@ int CmdHF14AMfESave(const char *Cmd) len = param_getstr(Cmd,nameParamNo,filename); - if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; + if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4; // user supplied filename? if (len < 1) { // get filename (UID from memory) if (mfEmlGetMem(buf, 0, 1)) { PrintAndLog("Can\'t get UID from block: %d", 0); - sprintf(filename, "dump.eml"); + len = sprintf(fnameptr, "dump"); + fnameptr += len; + } + else { + for (j = 0; j < 7; j++, fnameptr += 2) + sprintf(fnameptr, "%02X", buf[j]); } - for (j = 0; j < 7; j++, fnameptr += 2) - sprintf(fnameptr, "%02X", buf[j]); } else { - fnameptr += len-4; + fnameptr += len; } // add file extension @@ -1572,10 +1575,10 @@ int CmdHF14AMfCLoad(const char *Cmd) return 0; } else { len = strlen(Cmd); - if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; + if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4; memcpy(filename, Cmd, len); - fnameptr += len-4; + fnameptr += len; sprintf(fnameptr, ".eml"); @@ -1742,16 +1745,18 @@ int CmdHF14AMfCSave(const char *Cmd) { return 0; } else { len = strlen(Cmd); - if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE; + if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE - 4; if (len < 1) { // get filename if (mfCGetBlock(0, buf, CSETBLOCK_SINGLE_OPER)) { PrintAndLog("Cant get block: %d", 0); - return 1; + len = sprintf(fnameptr, "dump"); + fnameptr += len; + } else { + for (j = 0; j < 7; j++, fnameptr += 2) + sprintf(fnameptr, "%02x", buf[j]); } - for (j = 0; j < 7; j++, fnameptr += 2) - sprintf(fnameptr, "%02x", buf[j]); } else { memcpy(filename, Cmd, len); fnameptr += len; -- 2.39.5