AnsweredAssumed Answered

Bug report with NFC03A1

Question asked by samuel.poiraud.005 on Feb 23, 2017
Latest reply on May 2, 2017 by NFC software support 3

We are using the NFC03A1 board with Nucleo F103RB.

 

In the function :

int8_t PCD_ProtocolSelect(const uint8_t Length,const uint8_t Protocol,const uint8_t *Parameters,uint8_t *pResponse)

 

There is a buffer DataToSend[SELECT_BUFFER_SIZE] where SELECT_BUFFER_SIZE  is 6.

Then we fit the buffer with datas depending on the Lenght argument... until "3 + Length - 1"

 

In the function : ISO14443A_ConfigFDTforAnticollision(), we can read :

 

if( IcVers >= QJE)
   NbParam = 6;
else
   NbParam = 4;
status = PCD_ProtocolSelect((NbParam+1),PCD_PROTOCOL_ISO14443A,ProtocolSelectParameters,pDataRead);

 

... and we got a buffer overflow!

 

We solved the problem with :

#define SELECT_BUFFER_SIZE 10

 

 

Outcomes