Buffer overflow in Iso15693sprintUID()

GoogleCodeExporter commented 8 years ago

What version of the product are you using? On what operating system?

r468 on Ubuntu 10.10 - 64

When dumping ISO 15693 tags, the client often prints malformed UIDs:

proxmark3>  hf 15 dumpmemory
proxmark3> Reading memory from tag UID=E007000011FE6B0CЊt
Tag Info: Texas Instrument; Tag-it HF-I Plus Inlay; 64x32bit
proxmark3> Block  0   20 23 0A 23     #.#
...

Sometimes the client just crashes:

#0  0x00007ffff5bcd067 in __vfprintf_chk () from /lib/libc.so.6
#1  0x0000000000404f71 in vfprintf (
    fmt=0x414dc8 "Reading memory from tag UID=%s")
    at /usr/include/bits/stdio2.h:128
#2  PrintAndLog (fmt=0x414dc8 "Reading memory from tag UID=%s") at ui.c:44
#3  0x000000000040b2a0 in CmdHF15DumpMem (Cmd=<value optimized out>)
    at cmdhf15.c:280
...

The problem results from an invalid buffer length in iso15693tools.c in
function Iso15693sprintUID():

char* Iso15693sprintUID(char *target,uint8_t *uid) {
  static char tempbuf[9]="";
  if (target==NULL) target=tempbuf;
  sprintf(target,"%02hX%02hX%02hX%02hX%02hX%02hX%02hX%02hX",
        uid[7],uid[6],uid[5],uid[4],uid[3],uid[2],uid[1],uid[0]);
  return target;
}

The tempbuf can store up to 9 bytes, but the sprintf will write 2*8 bytes
plus one byte for an end marker. Therefore the tempbuf should be declared
as:

static char tempbuf[2*8+1]={0};

Original issue reported on code.google.com by mar...@mailbeschleuniger.de on 16 Mar 2011 at 12:07

GoogleCodeExporter commented 8 years ago

thank you for fixing my bug - can someone please close this issue?

Original comment by adr...@atrox.at on 14 Oct 2011 at 10:57

GoogleCodeExporter commented 8 years ago

Original comment by dn3...@gmail.com on 29 May 2012 at 1:09

Changed state: Fixed

photomattmills / proxmark3

Buffer overflow in Iso15693sprintUID() #23