From bcc702346f111dbb2c15be855905b7b032bcec05 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Moreau?= Date: Fri, 23 Jan 2015 14:19:15 -0500 Subject: [PATCH] channels/smartcard: fix buffer read alignment in SCardTransmit parsing --- channels/smartcard/client/smartcard_pack.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/channels/smartcard/client/smartcard_pack.c b/channels/smartcard/client/smartcard_pack.c index 3ae34382a..d2d57e4d5 100644 --- a/channels/smartcard/client/smartcard_pack.c +++ b/channels/smartcard/client/smartcard_pack.c @@ -2161,6 +2161,8 @@ UINT32 smartcard_unpack_transmit_call(SMARTCARD_DEVICE* smartcard, wStream* s, T pbExtraBytes = &((BYTE*) call->pioSendPci)[sizeof(SCARD_IO_REQUEST)]; Stream_Read(s, pbExtraBytes, ioSendPci.cbExtraBytes); + + smartcard_unpack_read_size_align(smartcard, s, ioSendPci.cbExtraBytes, 4); } else { @@ -2210,21 +2212,23 @@ UINT32 smartcard_unpack_transmit_call(SMARTCARD_DEVICE* smartcard, wStream* s, T } Stream_Read(s, call->pbSendBuffer, call->cbSendLength); + + smartcard_unpack_read_size_align(smartcard, s, call->cbSendLength, 4); } if (pioRecvPciNdrPtr) { - if (Stream_GetRemainingLength(s) < 8) + if (Stream_GetRemainingLength(s) < 16) { WLog_WARN(TAG, "Transmit_Call is too short: Actual: %d, Expected: %d", (int) Stream_GetRemainingLength(s), 16); return STATUS_BUFFER_TOO_SMALL; } - Stream_Read_UINT32(s, length); /* Length (4 bytes) */ - Stream_Read_UINT32(s, ioRecvPci.dwProtocol); /* dwProtocol (4 bytes) */ Stream_Read_UINT32(s, ioRecvPci.cbExtraBytes); /* cbExtraBytes (4 bytes) */ + Stream_Read_UINT32(s, pbExtraBytesNdrPtr); /* pbExtraBytesNdrPtr (4 bytes) */ + Stream_Read_UINT32(s, length); /* Length (4 bytes) */ if (ioRecvPci.cbExtraBytes > 1024) { @@ -2233,7 +2237,7 @@ UINT32 smartcard_unpack_transmit_call(SMARTCARD_DEVICE* smartcard, wStream* s, T return STATUS_INVALID_PARAMETER; } - if (length < ioRecvPci.cbExtraBytes) + if (length != ioRecvPci.cbExtraBytes) { WLog_WARN(TAG, "Transmit_Call unexpected length: Actual: %d, Expected: %d (ioRecvPci.cbExtraBytes)", (int) length, (int) ioRecvPci.cbExtraBytes); @@ -2262,6 +2266,8 @@ UINT32 smartcard_unpack_transmit_call(SMARTCARD_DEVICE* smartcard, wStream* s, T pbExtraBytes = &((BYTE*) call->pioRecvPci)[sizeof(SCARD_IO_REQUEST)]; Stream_Read(s, pbExtraBytes, ioRecvPci.cbExtraBytes); + + smartcard_unpack_read_size_align(smartcard, s, ioRecvPci.cbExtraBytes, 4); } return SCARD_S_SUCCESS; @@ -2357,7 +2363,7 @@ void smartcard_trace_transmit_call(SMARTCARD_DEVICE* smartcard, Transmit_Call* c WLog_DBG(TAG, "pioRecvPci: null"); } - WLog_DBG(TAG, "fpbRecvBufferIsNULL: %d cbRecvLength: 0x%08X", + WLog_DBG(TAG, "fpbRecvBufferIsNULL: %d cbRecvLength: %d", call->fpbRecvBufferIsNULL, call->cbRecvLength); WLog_DBG(TAG, "}");