diff options
author | Markus Armbruster <armbru@redhat.com> | 2011-11-28 20:27:37 +0100 |
---|---|---|
committer | Anthony Liguori <aliguori@us.ibm.com> | 2011-11-28 16:20:53 -0600 |
commit | 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a (patch) | |
tree | 2e5ccd7d2f972ddb3cde2a977ab592f2a02f1f3e /hw | |
parent | aea317aaa5d92ee8789f976ccf105be67d956f5e (diff) |
ccid: Fix buffer overrun in handling of VSC_ATR message
ATR size exceeding the limit is diagnosed, but then we merrily use it
anyway, overrunning card->atr[].
The message is read from a character device. Obvious security
implications unless the other end of the character device is trusted.
Spotted by Coverity. CVE-2011-4111.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'hw')
-rw-r--r-- | hw/ccid-card-passthru.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c index 2cbc81b9f4..9f51c6cb05 100644 --- a/hw/ccid-card-passthru.c +++ b/hw/ccid-card-passthru.c @@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card, error_report("ATR size exceeds spec, ignoring"); ccid_card_vscard_send_error(card, scr_msg_header->reader_id, VSC_GENERAL_ERROR); + break; } memcpy(card->atr, data, scr_msg_header->length); card->atr_length = scr_msg_header->length; |