Skip to content

Patch(es): Fixes for reader-nagra and reader-nagracak7

Updating to current SVN HEAD of OSCam (on Gentoo, x86_64, GCC 9.3.0, glibc 2.32) from a relatively old SVN revision caused some troubles, which I'd like to propose patches for to fix them:

1.) Buffer overflow when printing entitlements on card init

During card init of my non-merlin Nagra card, OScam crashes with "Buffer overflow detected" when the entitlements should be printed. With that, I get four warnings during compile which match the problem:

CC      reader-nagra.c
reader-nagra.c: In function ‘GetDataType’:
reader-nagra.c:53:26: warning: ‘%02d’ directive output may be truncated writing between 2 and 11 bytes into a region of size between 4 and 11 [-Wformat-truncation=]
   53 |   snprintf(buf, l, "%04d/%02d/%02d", t.tm_year + 1900, t.tm_mon + 1, t.tm_mday);
      |                          ^~~~
reader-nagra.c:53:20: note: directive argument in the range [-2147483647, 2147483647]
   53 |   snprintf(buf, l, "%04d/%02d/%02d", t.tm_year + 1900, t.tm_mon + 1, t.tm_mday);
      |                    ^~~~~~~~~~~~~~~~
In file included from /usr/include/stdio.h:866,
                 from globals.h:6,
                 from reader-nagra.c:1:
/usr/include/bits/stdio2.h:70:10: note: ‘__builtin___snprintf_chk’ output between 11 and 36 bytes into a destination of size 16
   70 |   return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   71 |        __bos (__s), __fmt, __va_arg_pack ());
      |        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is repeated two times in reader-nagra.c, and is also printed two times during compilaton of reader-nagracak7.c. This is fixed by "0001-reader-nagra-cak7-fix-buffer-overflow.patch", which also fixes the buffer overflow and makes OScam work again.

2.) CW not dumped properly in nagra2_do_ecm()

The CW's hexdumped in nagra2_do_ecm() (since r11672) are truncated to 7 octets. "0002-reader-nagra-fix-cw-dump.patch" fixes this by properly passing the number of bytes to dump to cs_hexdump().

3.) Whitespace cleanup in reader_nagra.c

While at it, r11672 introduced some superfluous whitespaces. "0003-reader-nagra-whitespace-cleanup.patch" cleans this up (cosmetic change only)

Since the first topic is a crash issue, I'm marking this as "priority: major" with "severity: medium".

Please consider these patches for inclusion into trunk. Thanks!