<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>NFCのトピックRe: FCI buffer size of when calling phalVca_IsoSelect()</title>
    <link>https://community.nxp.com/t5/NFC/FCI-buffer-size-of-when-calling-phalVca-IsoSelect/m-p/1340684#M8853</link>
    <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;sorry for the late repy. I was not notified of your reply and then I forgot about this thread a bit....&lt;/P&gt;&lt;P&gt;My question is not so much about the example but more about how the method 'phalVca_IsoSelect()' is to be used. I took a closer look at the code and think that a buffer overflow is possible in the method 'phalVca_Sw_IsoSelect()' (in file 'phalVca_Sw.c'), which is called from 'phalVca_IsoSelect()'.&lt;/P&gt;&lt;P&gt;My concerns is that 'pFCI' will overflow if the file 31 of a DESFire is larger than the buffer behind 'pFCI'. The memcpy is wrong in my opinion without a prior check of the buffer size.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;"NFC Reader Library v06.11.00 for CLRC663 including all software examples"; File 'phalVca_Sw.c'; line 735-737&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;&lt;BLOCKQUOTE&gt;&lt;P&gt;/* FCI contains contents of FileID 31 of the DF */&lt;BR /&gt;memcpy(pFCI, &amp;amp;pRecv[0], wRxlen-2);&lt;BR /&gt;*pwFCILen = wRxlen - 2;&lt;/P&gt;&lt;/BLOCKQUOTE&gt;</description>
    <pubDate>Wed, 15 Sep 2021 14:35:45 GMT</pubDate>
    <dc:creator>timriddermann</dc:creator>
    <dc:date>2021-09-15T14:35:45Z</dc:date>
    <item>
      <title>FCI buffer size of when calling phalVca_IsoSelect()</title>
      <link>https://community.nxp.com/t5/NFC/FCI-buffer-size-of-when-calling-phalVca-IsoSelect/m-p/1082956#M7450</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Hello.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;I wonder how big the buffer size of the FCI must be when I call the function phalVca_IsoSelect()?&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;In an example of the NXP Reader Library for DESFire EV2, the buffer "uint8_t FCI[40];" is created and passed to the function.However, I am afraid that a buffer overflow can occur if an FCI is received from the DESFire which is larger than 40 bytes.&amp;nbsp;As far as I know this can happen if the file 31 of the DESFire is larger than 40 bytes.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="color: #51626f; background-color: #ffffff;"&gt;Best regards,&lt;/SPAN&gt;&lt;BR style="color: #51626f; background-color: #ffffff;" /&gt;&lt;SPAN style="color: #51626f; background-color: #ffffff;"&gt;Tim&lt;/SPAN&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Tue, 11 Aug 2020 12:38:42 GMT</pubDate>
      <guid>https://community.nxp.com/t5/NFC/FCI-buffer-size-of-when-calling-phalVca-IsoSelect/m-p/1082956#M7450</guid>
      <dc:creator>timriddermann</dc:creator>
      <dc:date>2020-08-11T12:38:42Z</dc:date>
    </item>
    <item>
      <title>Re: FCI buffer size of when calling phalVca_IsoSelect()</title>
      <link>https://community.nxp.com/t5/NFC/FCI-buffer-size-of-when-calling-phalVca-IsoSelect/m-p/1132810#M7630</link>
      <description>&lt;P&gt;Hi ,&lt;/P&gt;
&lt;P&gt;I am not sure to which example for EV2 you are referring, the examples available are for EV1.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;BR&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Jonathan&lt;/P&gt;</description>
      <pubDate>Tue, 01 Sep 2020 02:38:43 GMT</pubDate>
      <guid>https://community.nxp.com/t5/NFC/FCI-buffer-size-of-when-calling-phalVca-IsoSelect/m-p/1132810#M7630</guid>
      <dc:creator>Jonathan_Iglesias</dc:creator>
      <dc:date>2020-09-01T02:38:43Z</dc:date>
    </item>
    <item>
      <title>Re: FCI buffer size of when calling phalVca_IsoSelect()</title>
      <link>https://community.nxp.com/t5/NFC/FCI-buffer-size-of-when-calling-phalVca-IsoSelect/m-p/1340684#M8853</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;sorry for the late repy. I was not notified of your reply and then I forgot about this thread a bit....&lt;/P&gt;&lt;P&gt;My question is not so much about the example but more about how the method 'phalVca_IsoSelect()' is to be used. I took a closer look at the code and think that a buffer overflow is possible in the method 'phalVca_Sw_IsoSelect()' (in file 'phalVca_Sw.c'), which is called from 'phalVca_IsoSelect()'.&lt;/P&gt;&lt;P&gt;My concerns is that 'pFCI' will overflow if the file 31 of a DESFire is larger than the buffer behind 'pFCI'. The memcpy is wrong in my opinion without a prior check of the buffer size.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;"NFC Reader Library v06.11.00 for CLRC663 including all software examples"; File 'phalVca_Sw.c'; line 735-737&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;&lt;BLOCKQUOTE&gt;&lt;P&gt;/* FCI contains contents of FileID 31 of the DF */&lt;BR /&gt;memcpy(pFCI, &amp;amp;pRecv[0], wRxlen-2);&lt;BR /&gt;*pwFCILen = wRxlen - 2;&lt;/P&gt;&lt;/BLOCKQUOTE&gt;</description>
      <pubDate>Wed, 15 Sep 2021 14:35:45 GMT</pubDate>
      <guid>https://community.nxp.com/t5/NFC/FCI-buffer-size-of-when-calling-phalVca-IsoSelect/m-p/1340684#M8853</guid>
      <dc:creator>timriddermann</dc:creator>
      <dc:date>2021-09-15T14:35:45Z</dc:date>
    </item>
  </channel>
</rss>

