diff options
author | Prasad J Pandit <pjp@fedoraproject.org> | 2017-02-03 00:52:28 +0530 |
---|---|---|
committer | Gerd Hoffmann <kraxel@redhat.com> | 2017-02-06 10:23:18 +0100 |
commit | c7dfbf322595ded4e70b626bf83158a9f3807c6a (patch) | |
tree | 5f0691706df1e1f7ab93861fef7eff4c35fb28ca /hw/usb | |
parent | 96d87bdda3919bb16f754b3d3fd1227e1f38f13c (diff) |
usb: ccid: check ccid apdu length
CCID device emulator uses Application Protocol Data Units(APDU)
to exchange command and responses to and from the host.
The length in these units couldn't be greater than 65536. Add
check to ensure the same. It'd also avoid potential integer
overflow in emulated_apdu_from_guest.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20170202192228.10847-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'hw/usb')
-rw-r--r-- | hw/usb/dev-smartcard-reader.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c index 89e11b68c4..1325ea1659 100644 --- a/hw/usb/dev-smartcard-reader.c +++ b/hw/usb/dev-smartcard-reader.c @@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv) DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__, recv->hdr.bSeq, len); ccid_add_pending_answer(s, (CCID_Header *)recv); - if (s->card) { + if (s->card && len <= BULK_OUT_DATA_SIZE) { ccid_card_apdu_from_guest(s->card, recv->abData, len); } else { DPRINTF(s, D_WARN, "warning: discarded apdu\n"); |