[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH] ccid: Fix buffer overrun in handling of VSC_ATR mes
|
From: |
Markus Armbruster |
|
Subject: |
[Qemu-devel] [PATCH] ccid: Fix buffer overrun in handling of VSC_ATR message |
|
Date: |
Mon, 28 Nov 2011 20:27:37 +0100 |
ATR size exceeding the limit is diagnosed, but then we merrily use it
anyway, overrunning card->atr[].
The message is read from a character device. Obvious security
implications unless the other end of the character device is trusted.
Spotted by Coverity. CVE-2011-4111.
Signed-off-by: Markus Armbruster <address@hidden>
---
hw/ccid-card-passthru.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
index 2cbc81b..9f51c6c 100644
--- a/hw/ccid-card-passthru.c
+++ b/hw/ccid-card-passthru.c
@@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState
*card,
error_report("ATR size exceeds spec, ignoring");
ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
VSC_GENERAL_ERROR);
+ break;
}
memcpy(card->atr, data, scr_msg_header->length);
card->atr_length = scr_msg_header->length;
--
1.7.6.4
- [Qemu-devel] [PATCH] ccid: Fix buffer overrun in handling of VSC_ATR message,
Markus Armbruster <=