search

timmerk / libfreefare

Automatically exported from code.google.com/p/libfreefare
Other
0 stars 0 forks source link

mifare_desfire_read_data() reads behind end of buffer #28

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
The internal function read_data() in mifare_desfire.c contains the following 
comment:

    /*
     * FIXME: This is bogus: the user has to provide a data buffer with enougth
     * room to store CRC + padding or MAC.  If the user wants to read 1 byte,
     * there is no reason to provide a 16 bytes buffer.
     */

It is absolutely inacceptable that read_data() reads bytes from data beyond 
length. Please either document how long the buffer behind data has to be or 
rework the function to write at most length bytes into data. As is, this is a 
huge security hole and makes writing a library wrapper extremely difficult as I 
cannot make any assumptions about extra memory I must allocate beyond what is 
documented. Please fix this issue ASAP.

Original issue reported on code.google.com by fuz...@gmail.com on 9 Apr 2014 at 6:24

GoogleCodeExporter commented 9 years ago 
This issue was closed by revision 57e1fceb6b06.

Original comment by romain.t...@gmail.com on 16 Apr 2014 at 12:03

GoogleCodeExporter commented 9 years ago 
The submitted fix is actually not sufficient for reading a Record File as a 
while when no size is specified.

Assign to me as I have started something last week but failed to update this 
entry.

Original comment by romain.t...@gmail.com on 20 Apr 2014 at 6:11

GoogleCodeExporter commented 9 years ago 
Please s/whiles/whole/ in the previous comment.

Original comment by romain.t...@gmail.com on 20 Apr 2014 at 6:12