mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ccid: Fix buffer overrun in handling of VSC_ATR message

Browse Source 
ATR size exceeding the limit is diagnosed, but then we merrily use it
anyway, overrunning card->atr[].

The message is read from a character device.  Obvious security
implications unless the other end of the character device is trusted.

Spotted by Coverity.  CVE-2011-4111.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
This commit is contained in:
Markus Armbruster 2011-11-28 20:27:37 +01:00 committed by Anthony Liguori
parent aea317aaa5
commit 7e62255a4b
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hw/ccid-card-passthru.c
View File

@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card,
error_report("ATR size exceeds spec, ignoring"); error_report("ATR size exceeds spec, ignoring");
ccid_card_vscard_send_error(card, scr_msg_header->reader_id, ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
VSC_GENERAL_ERROR); VSC_GENERAL_ERROR);
break;
} }
memcpy(card->atr, data, scr_msg_header->length); memcpy(card->atr, data, scr_msg_header->length);
card->atr_length = scr_msg_header->length; card->atr_length = scr_msg_header->length;