mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

channels/smartcard: fix buffer read alignment in SCardTransmit parsing

Browse Source
This commit is contained in:
Marc-André Moreau 2015-01-23 14:19:15 -05:00
parent bcf3a551c4
commit bcc702346f
1 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
channels/smartcard/client/smartcard_pack.c
View File

@ -2161,6 +2161,8 @@ UINT32 smartcard_unpack_transmit_call(SMARTCARD_DEVICE* smartcard, wStream* s, T
pbExtraBytes = &((BYTE*) call->pioSendPci)[sizeof(SCARD_IO_REQUEST)]; pbExtraBytes = &((BYTE*) call->pioSendPci)[sizeof(SCARD_IO_REQUEST)];
Stream_Read(s, pbExtraBytes, ioSendPci.cbExtraBytes); Stream_Read(s, pbExtraBytes, ioSendPci.cbExtraBytes);
smartcard_unpack_read_size_align(smartcard, s, ioSendPci.cbExtraBytes, 4);
} }
else else
{ {
@ -2210,21 +2212,23 @@ UINT32 smartcard_unpack_transmit_call(SMARTCARD_DEVICE* smartcard, wStream* s, T
} }
Stream_Read(s, call->pbSendBuffer, call->cbSendLength); Stream_Read(s, call->pbSendBuffer, call->cbSendLength);
smartcard_unpack_read_size_align(smartcard, s, call->cbSendLength, 4);
} }
if (pioRecvPciNdrPtr) if (pioRecvPciNdrPtr)
{ {
if (Stream_GetRemainingLength(s) < 8) if (Stream_GetRemainingLength(s) < 16)
{ {
WLog_WARN(TAG, "Transmit_Call is too short: Actual: %d, Expected: %d", WLog_WARN(TAG, "Transmit_Call is too short: Actual: %d, Expected: %d",
(int) Stream_GetRemainingLength(s), 16); (int) Stream_GetRemainingLength(s), 16);
return STATUS_BUFFER_TOO_SMALL; return STATUS_BUFFER_TOO_SMALL;
} }
Stream_Read_UINT32(s, length); /* Length (4 bytes) */
Stream_Read_UINT32(s, ioRecvPci.dwProtocol); /* dwProtocol (4 bytes) */ Stream_Read_UINT32(s, ioRecvPci.dwProtocol); /* dwProtocol (4 bytes) */
Stream_Read_UINT32(s, ioRecvPci.cbExtraBytes); /* cbExtraBytes (4 bytes) */ Stream_Read_UINT32(s, ioRecvPci.cbExtraBytes); /* cbExtraBytes (4 bytes) */
Stream_Read_UINT32(s, pbExtraBytesNdrPtr); /* pbExtraBytesNdrPtr (4 bytes) */
Stream_Read_UINT32(s, length); /* Length (4 bytes) */
if (ioRecvPci.cbExtraBytes > 1024) if (ioRecvPci.cbExtraBytes > 1024)
{ {
@ -2233,7 +2237,7 @@ UINT32 smartcard_unpack_transmit_call(SMARTCARD_DEVICE* smartcard, wStream* s, T
return STATUS_INVALID_PARAMETER; return STATUS_INVALID_PARAMETER;
} }
if (length < ioRecvPci.cbExtraBytes) if (length != ioRecvPci.cbExtraBytes)
{ {
WLog_WARN(TAG, "Transmit_Call unexpected length: Actual: %d, Expected: %d (ioRecvPci.cbExtraBytes)", WLog_WARN(TAG, "Transmit_Call unexpected length: Actual: %d, Expected: %d (ioRecvPci.cbExtraBytes)",
(int) length, (int) ioRecvPci.cbExtraBytes); (int) length, (int) ioRecvPci.cbExtraBytes);
@ -2262,6 +2266,8 @@ UINT32 smartcard_unpack_transmit_call(SMARTCARD_DEVICE* smartcard, wStream* s, T
pbExtraBytes = &((BYTE*) call->pioRecvPci)[sizeof(SCARD_IO_REQUEST)]; pbExtraBytes = &((BYTE*) call->pioRecvPci)[sizeof(SCARD_IO_REQUEST)];
Stream_Read(s, pbExtraBytes, ioRecvPci.cbExtraBytes); Stream_Read(s, pbExtraBytes, ioRecvPci.cbExtraBytes);
smartcard_unpack_read_size_align(smartcard, s, ioRecvPci.cbExtraBytes, 4);
} }
return SCARD_S_SUCCESS; return SCARD_S_SUCCESS;
@ -2357,7 +2363,7 @@ void smartcard_trace_transmit_call(SMARTCARD_DEVICE* smartcard, Transmit_Call* c
WLog_DBG(TAG, "pioRecvPci: null"); WLog_DBG(TAG, "pioRecvPci: null");
} }
WLog_DBG(TAG, "fpbRecvBufferIsNULL: %d cbRecvLength: 0x%08X", WLog_DBG(TAG, "fpbRecvBufferIsNULL: %d cbRecvLength: %d",
call->fpbRecvBufferIsNULL, call->cbRecvLength); call->fpbRecvBufferIsNULL, call->cbRecvLength);
WLog_DBG(TAG, "}"); WLog_DBG(TAG, "}");