dcavalca / rpms / qemu

Forked from rpms/qemu 11 months ago
Clone
Source Code
GIT

Blame 0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch

c8s-sig-hyperscale c9s-sig-hyperscale
  1.   cd9d1615148a819966218610f5929f0fba1ae14f
  2.   0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch
Blob History Raw
cd9d16 
From 792733e8aa8565a0b49c80539d0bc7a0ac19aaff Mon Sep 17 00:00:00 2001
cd9d16 
From: Markus Armbruster <armbru@redhat.com>
cd9d16 
Date: Mon, 28 Nov 2011 20:27:37 +0100
cd9d16 
Subject: [PATCH] ccid: Fix buffer overrun in handling of VSC_ATR message
cd9d16 
MIME-Version: 1.0
cd9d16 
Content-Type: text/plain; charset=UTF-8
cd9d16 
Content-Transfer-Encoding: 8bit
cd9d16
cd9d16 
ATR size exceeding the limit is diagnosed, but then we merrily use it
cd9d16 
anyway, overrunning card->atr[].
cd9d16
cd9d16 
The message is read from a character device.  Obvious security
cd9d16 
implications unless the other end of the character device is trusted.
cd9d16
cd9d16 
Spotted by Coverity.  CVE-2011-4111.
cd9d16
cd9d16 
Signed-off-by: Markus Armbruster <armbru@redhat.com>
cd9d16 
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
cd9d16 
(cherry picked from commit 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a)
cd9d16
cd9d16 
Signed-off-by: Bruce Rogers <brogers@suse.com>
cd9d16 
[AF: Fixes BNC#731086.]
cd9d16 
Signed-off-by: Andreas Färber <afaerber@suse.de>
cd9d16 
---
cd9d16 
 hw/ccid-card-passthru.c | 1 +
cd9d16 
 1 file changed, 1 insertion(+)
cd9d16
cd9d16 
diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
cd9d16 
index 28eb9d1..0505663 100644
cd9d16 
--- a/hw/ccid-card-passthru.c
cd9d16 
+++ b/hw/ccid-card-passthru.c
cd9d16 
@@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card,
cd9d16 
             error_report("ATR size exceeds spec, ignoring");
cd9d16 
             ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
cd9d16 
                                         VSC_GENERAL_ERROR);
cd9d16 
+            break;
cd9d16 
         }
cd9d16 
         memcpy(card->atr, data, scr_msg_header->length);
cd9d16 
         card->atr_length = scr_msg_header->length;
cd9d16 
--
cd9d16 
1.7.11.2
cd9d16

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation