[Pcsclite-cvs-commit] r5381 - /trunk/Drivers/ccid/src/ccid_serial.c

rousseau at users.alioth.debian.org rousseau at users.alioth.debian.org
Fri Nov 5 22:42:17 UTC 2010


Author: rousseau
Date: Fri Nov  5 22:42:16 2010
New Revision: 5381

URL: http://svn.debian.org/wsvn/pcsclite/?sc=1&rev=5381
Log:
ReadSerial(): avoids a possible integer overflow if the CCID frame is
corrupted or malign.

Thanks to Rafael Dominguez Vega for the bug report

Modified:
    trunk/Drivers/ccid/src/ccid_serial.c

Modified: trunk/Drivers/ccid/src/ccid_serial.c
URL: http://svn.debian.org/wsvn/pcsclite/trunk/Drivers/ccid/src/ccid_serial.c?rev=5381&op=diff
==============================================================================
--- trunk/Drivers/ccid/src/ccid_serial.c (original)
+++ trunk/Drivers/ccid/src/ccid_serial.c Fri Nov  5 22:42:16 2010
@@ -309,6 +309,12 @@
 
 	/* total frame size */
 	to_read = 10+dw2i(buffer, 1);
+
+	if ((to_read < 0) || (to_read > 0x20000))
+	{
+		DEBUG_CRITICAL2("Wrong value for frame size: %d", to_read);
+		return STATUS_COMM_ERROR;
+	}
 
 	DEBUG_COMM2("frame size: %d", to_read);
 	if ((rv = get_bytes(reader_index, buffer+5, to_read-5)) != STATUS_SUCCESS)




More information about the Pcsclite-cvs-commit mailing list