[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] ccid: Fix buffer overrun in handling of VSC_ATR
|
From: |
Alon Levy |
|
Subject: |
Re: [Qemu-devel] [PATCH] ccid: Fix buffer overrun in handling of VSC_ATR message |
|
Date: |
Tue, 29 Nov 2011 11:36:34 +0200 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Mon, Nov 28, 2011 at 08:27:37PM +0100, Markus Armbruster wrote:
> ATR size exceeding the limit is diagnosed, but then we merrily use it
> anyway, overrunning card->atr[].
>
> The message is read from a character device. Obvious security
> implications unless the other end of the character device is trusted.
>
> Spotted by Coverity. CVE-2011-4111.
>
Anthony, do you want me to do a pull request for this or can you merge
it as is?
Alon
> Signed-off-by: Markus Armbruster <address@hidden>
> ---
> hw/ccid-card-passthru.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
> index 2cbc81b..9f51c6c 100644
> --- a/hw/ccid-card-passthru.c
> +++ b/hw/ccid-card-passthru.c
> @@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState
> *card,
> error_report("ATR size exceeds spec, ignoring");
> ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
> VSC_GENERAL_ERROR);
> + break;
> }
> memcpy(card->atr, data, scr_msg_header->length);
> card->atr_length = scr_msg_header->length;
> --
> 1.7.6.4
>