AnsweredAssumed Answered

Bug report with NFC03A1

Question asked by samuel.poiraud.005 on Feb 23, 2017
Latest reply on May 2, 2017 by NFC software support 3

We are using the NFC03A1 board with Nucleo F103RB.


In the function :

int8_t PCD_ProtocolSelect(const uint8_t Length,const uint8_t Protocol,const uint8_t *Parameters,uint8_t *pResponse)


There is a buffer DataToSend[SELECT_BUFFER_SIZE] where SELECT_BUFFER_SIZE  is 6.

Then we fit the buffer with datas depending on the Lenght argument... until "3 + Length - 1"


In the function : ISO14443A_ConfigFDTforAnticollision(), we can read :


if( IcVers >= QJE)
   NbParam = 6;
   NbParam = 4;
status = PCD_ProtocolSelect((NbParam+1),PCD_PROTOCOL_ISO14443A,ProtocolSelectParameters,pDataRead);


... and we got a buffer overflow!


We solved the problem with :