Created
January 28, 2018 03:11
-
-
Save puppykitten/866c9cead1d337f6a43c44a273848663 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
int __fastcall parse_tlvs_from_APDU(parsed_tlvs_t *out_apdus, char *in_buf, int start_offset, int total_length) | |
{ | |
parsed_tlvs_t *parsed_tlvs_t; // r4 | |
char *in_buf_; // r8 | |
int total_length_; // r7 | |
int offset; // r5 | |
int i; // r6 | |
tlv_t *tlv_obj; // r0 | |
int ret; // r0 | |
parsed_tlvs_t = out_apdus; | |
in_buf_ = in_buf; | |
total_length_ = total_length; | |
offset = start_offset; | |
if ( out_apdus && out_apdus->num_slots_used ) // | |
// so this is basically an array of TLV | |
// objects that we parse out. | |
// | |
// a TLV instance always point to a tag object | |
// also, which is its kind basically. | |
{ | |
for ( i = 0; parsed_tlvs_t->num_slots_used > i; ++i ) | |
free_tlv_obj(parsed_tlvs_t->tlv_array[i]); | |
} | |
parsed_tlvs_t->num_slots_used = 0; | |
while ( 1 ) | |
{ | |
tlv_obj = create_TLV_obj_wrap(in_buf_, offset, total_length_);// checks apdu len, but nothing about destination length | |
if ( !tlv_obj ) | |
break; | |
parsed_tlvs_t->tlv_array[parsed_tlvs_t->num_slots_used++] = tlv_obj; | |
offset += get_apdu_len(tlv_obj); | |
if ( offset == total_length_ ) // | |
// we have parsed everything, return. | |
// | |
// Because this is a == check, | |
// but we have multiple byte increases for all APDUs | |
// (tag + length field(s) + value field(s), | |
// it is completely possible that we step over the total_length here, | |
// in which case we will end up SIGSEGV-ing the TA, | |
// becasue it will potentially read past the end of the array. | |
// | |
// in fact the simplest case of sending all 0s triggers this already. | |
{ | |
ret = parsed_tlvs_t->num_slots_used; | |
JUMPOUT(&return_); | |
} | |
} | |
JUMPOUT(&return_); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment