diff mbox

usb: ccid: check ccid apdu length

Message ID 20170202192228.10847-1-ppandit@redhat.com (mailing list archive)
State New, archived
Headers show

Commit Message

Prasad Pandit Feb. 2, 2017, 7:22 p.m. UTC
From: Prasad J Pandit <pjp@fedoraproject.org>

CCID device emulator uses Application Protocol Data Units(APDU)
to exchange command and responses to and from the host.
The length in these units couldn't be greater than 65536. Add
check to ensure the same. It'd also avoid potential integer
overflow in emulated_apdu_from_guest.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/usb/dev-smartcard-reader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Gerd Hoffmann Feb. 3, 2017, 9:17 a.m. UTC | #1
On Fr, 2017-02-03 at 00:52 +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> CCID device emulator uses Application Protocol Data Units(APDU)
> to exchange command and responses to and from the host.
> The length in these units couldn't be greater than 65536. Add
> check to ensure the same. It'd also avoid potential integer
> overflow in emulated_apdu_from_guest.
> 
> Reported-by: Li Qiang <liqiang6-s@360.cn>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

Added to usb queue.

thanks,
  Gerd
diff mbox

Patch

diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
index 89e11b6..1325ea1 100644
--- a/hw/usb/dev-smartcard-reader.c
+++ b/hw/usb/dev-smartcard-reader.c
@@ -967,7 +967,7 @@  static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
     DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
                 recv->hdr.bSeq, len);
     ccid_add_pending_answer(s, (CCID_Header *)recv);
-    if (s->card) {
+    if (s->card && len <= BULK_OUT_DATA_SIZE) {
         ccid_card_apdu_from_guest(s->card, recv->abData, len);
     } else {
         DPRINTF(s, D_WARN, "warning: discarded apdu\n");