1
commit 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a
2
Author: Markus Armbruster <armbru@redhat.com>
3
Date: Mon Nov 28 20:27:37 2011 +0100
5
ccid: Fix buffer overrun in handling of VSC_ATR message
7
ATR size exceeding the limit is diagnosed, but then we merrily use it
8
anyway, overrunning card->atr[].
10
The message is read from a character device. Obvious security
11
implications unless the other end of the character device is trusted.
13
Spotted by Coverity. CVE-2011-4111.
15
Signed-off-by: Markus Armbruster <armbru@redhat.com>
16
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
18
diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
19
index 2cbc81b..9f51c6c 100644
20
--- a/hw/ccid-card-passthru.c
21
+++ b/hw/ccid-card-passthru.c
22
@@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card,
23
error_report("ATR size exceeds spec, ignoring");
24
ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
28
memcpy(card->atr, data, scr_msg_header->length);
29
card->atr_length = scr_msg_header->length;