yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone
619821
From c69bcffde2abc36576ff8b9d60f721e1261fec32 Mon Sep 17 00:00:00 2001
619821
From: Gerd Hoffmann <kraxel@redhat.com>
619821
Date: Tue, 14 Mar 2017 08:52:53 +0100
619821
Subject: [PATCH 20/24] usb: ccid: check ccid apdu length
619821
619821
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
619821
Message-id: <1489481576-26911-2-git-send-email-kraxel@redhat.com>
619821
Patchwork-id: 74286
619821
O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/4] usb: ccid: check ccid apdu length
619821
Bugzilla: 1419818
619821
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
619821
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
619821
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
619821
619821
From: Prasad J Pandit <pjp@fedoraproject.org>
619821
619821
CCID device emulator uses Application Protocol Data Units(APDU)
619821
to exchange command and responses to and from the host.
619821
The length in these units couldn't be greater than 65536. Add
619821
check to ensure the same. It'd also avoid potential integer
619821
overflow in emulated_apdu_from_guest.
619821
619821
Reported-by: Li Qiang <liqiang6-s@360.cn>
619821
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
619821
Message-id: 20170202192228.10847-1-ppandit@redhat.com
619821
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
619821
(cherry picked from commit c7dfbf322595ded4e70b626bf83158a9f3807c6a)
619821
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
619821
---
619821
 hw/usb/dev-smartcard-reader.c | 2 +-
619821
 1 file changed, 1 insertion(+), 1 deletion(-)
619821
619821
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
619821
index 0e666e1..0e0b363 100644
619821
--- a/hw/usb/dev-smartcard-reader.c
619821
+++ b/hw/usb/dev-smartcard-reader.c
619821
@@ -965,7 +965,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
619821
     DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
619821
                 recv->hdr.bSeq, len);
619821
     ccid_add_pending_answer(s, (CCID_Header *)recv);
619821
-    if (s->card) {
619821
+    if (s->card && len <= BULK_OUT_DATA_SIZE) {
619821
         ccid_card_apdu_from_guest(s->card, recv->abData, len);
619821
     } else {
619821
         DPRINTF(s, D_WARN, "warning: discarded apdu\n");
619821
-- 
619821
1.8.3.1
619821