fix buffer overflow in mifare ul load #1697
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
What's new
A buffer overflow exists in
nfc_device_load_mifare_ul_datawhen thepages_totalvalue is greater thanMF_UL_MAX_DUMP_SIZE. This occurs becausepages_totalis parsed from the nfc file and not checked against the max size of the buffer. An nfc file with a page count greater than 2040 will result in an out of bounds write.This may result in various crashes including a BusFault crash, and a NULL point exception. In some cases, this require re-flashing flipper firmware to recover the device :(
Shout out to https://tmpout.sh/bggp/3/ for giving me a reason to look for bugs!! Maybe more to come ;)
Verification
Upload an nfc file containing more than 2040 pages. An example file (that will produce a null pointer deference) is provided here:
https://gist.github.com/VVX7/c55b122846253e12f1647e2a85ab2775
Steps:
savednfc submenu and load the fileNote:
Larger files will result in similar unexpected behaviour and may not require viewing file info to trigger crash.
Impact
An attacker could place a malicious Amiibo file in a repository like this: https://github.com/Gioman101/FlipperAmiibo/
Checklist (For Reviewer)