ccid: Fix buffer overrun in handling of VSC_ATR message

ATR size exceeding the limit is diagnosed, but then we merrily use it anyway, overrunning card->atr[]. The message is read from a character device. Obvious security implications unless the other end of the character device is trusted. Spotted by Coverity. CVE-2011-4111. Signed-off-by: N Markus Armbruster <armbru@redhat.com> Signed-off-by: N Anthony Liguori <aliguori@us.ibm.com>

ccid: Fix buffer overrun in handling of VSC_ATR message
ATR size exceeding the limit is diagnosed, but then we merrily use it anyway, overrunning card->atr[]. The message is read from a character device. Obvious security implications unless the other end of the character device is trusted. Spotted by Coverity. CVE-2011-4111. Signed-off-by: N Markus Armbruster <armbru@redhat.com> Signed-off-by: N Anthony Liguori <aliguori@us.ibm.com>
7e62255a · Markus Armbruster · Anthony Liguori · aea317aa · 7e62255a
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

hw/ccid-card-passthru.c hw/ccid-card-passthru.c +1 -0

未找到文件。
--- a/hw/ccid-card-passthru.c
+++ b/hw/ccid-card-passthru.c
@@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card,
            error_report("ATR size exceeds spec, ignoring");
            ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
                                        VSC_GENERAL_ERROR);
+            break;
        }
        memcpy(card->atr, data, scr_msg_header->length);
        card->atr_length = scr_msg_header->length;