|
|
619821 |
From c69bcffde2abc36576ff8b9d60f721e1261fec32 Mon Sep 17 00:00:00 2001
|
|
|
619821 |
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
619821 |
Date: Tue, 14 Mar 2017 08:52:53 +0100
|
|
|
619821 |
Subject: [PATCH 20/24] usb: ccid: check ccid apdu length
|
|
|
619821 |
|
|
|
619821 |
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
619821 |
Message-id: <1489481576-26911-2-git-send-email-kraxel@redhat.com>
|
|
|
619821 |
Patchwork-id: 74286
|
|
|
619821 |
O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/4] usb: ccid: check ccid apdu length
|
|
|
619821 |
Bugzilla: 1419818
|
|
|
619821 |
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
|
619821 |
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
|
|
|
619821 |
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
619821 |
|
|
|
619821 |
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
|
619821 |
|
|
|
619821 |
CCID device emulator uses Application Protocol Data Units(APDU)
|
|
|
619821 |
to exchange command and responses to and from the host.
|
|
|
619821 |
The length in these units couldn't be greater than 65536. Add
|
|
|
619821 |
check to ensure the same. It'd also avoid potential integer
|
|
|
619821 |
overflow in emulated_apdu_from_guest.
|
|
|
619821 |
|
|
|
619821 |
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
|
|
619821 |
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
|
619821 |
Message-id: 20170202192228.10847-1-ppandit@redhat.com
|
|
|
619821 |
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
619821 |
(cherry picked from commit c7dfbf322595ded4e70b626bf83158a9f3807c6a)
|
|
|
619821 |
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
|
|
|
619821 |
---
|
|
|
619821 |
hw/usb/dev-smartcard-reader.c | 2 +-
|
|
|
619821 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
619821 |
|
|
|
619821 |
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
|
|
|
619821 |
index 0e666e1..0e0b363 100644
|
|
|
619821 |
--- a/hw/usb/dev-smartcard-reader.c
|
|
|
619821 |
+++ b/hw/usb/dev-smartcard-reader.c
|
|
|
619821 |
@@ -965,7 +965,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
|
|
|
619821 |
DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
|
|
|
619821 |
recv->hdr.bSeq, len);
|
|
|
619821 |
ccid_add_pending_answer(s, (CCID_Header *)recv);
|
|
|
619821 |
- if (s->card) {
|
|
|
619821 |
+ if (s->card && len <= BULK_OUT_DATA_SIZE) {
|
|
|
619821 |
ccid_card_apdu_from_guest(s->card, recv->abData, len);
|
|
|
619821 |
} else {
|
|
|
619821 |
DPRINTF(s, D_WARN, "warning: discarded apdu\n");
|
|
|
619821 |
--
|
|
|
619821 |
1.8.3.1
|
|
|
619821 |
|