[Pcsclite-git-commit] [PCSC] 02/03: SCardGetAttrib(): set pcbAttrLen when buffer is too small

Ludovic Rousseau rousseau at moszumanska.debian.org
Thu Mar 31 15:44:07 UTC 2016


This is an automated email from the git hooks/post-receive script.

rousseau pushed a commit to branch master
in repository PCSC.

commit e64629f80a4639836399493ef5c3c717571ffc96
Author: Ludovic Rousseau <ludovic.rousseau at free.fr>
Date:   Thu Mar 31 16:11:44 2016 +0200

    SCardGetAttrib(): set pcbAttrLen when buffer is too small
    
    When the user provides a pbAttr[] buffer too small then the error code
    SCARD_E_INSUFFICIENT_BUFFER is returned and the correct buffer size
    value is set in pcbAttrLen.
    
    Before the change the value of pcbAttrLen was not changed so the user
    had no idea what the correct value should be.
---
 src/winscard_clnt.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/winscard_clnt.c b/src/winscard_clnt.c
index 67fb1a9..69e57ff 100644
--- a/src/winscard_clnt.c
+++ b/src/winscard_clnt.c
@@ -2499,11 +2499,16 @@ static LONG SCardGetSetAttrib(SCARDHANDLE hCard, int command, DWORD dwAttrId,
 
 	scGetSetStruct.hCard = hCard;
 	scGetSetStruct.dwAttrId = dwAttrId;
-	scGetSetStruct.cbAttrLen = *pcbAttrLen;
 	scGetSetStruct.rv = SCARD_E_NO_SERVICE;
 	memset(scGetSetStruct.pbAttr, 0, sizeof(scGetSetStruct.pbAttr));
 	if (SCARD_SET_ATTRIB == command)
+	{
 		memcpy(scGetSetStruct.pbAttr, pbAttr, *pcbAttrLen);
+		scGetSetStruct.cbAttrLen = *pcbAttrLen;
+	}
+	else
+		/* we can get up to the communication buffer size */
+		scGetSetStruct.cbAttrLen = sizeof scGetSetStruct.pbAttr;
 
 	rv = MessageSendWithHeader(command, currentContextMap->dwClientID,
 		sizeof(scGetSetStruct), &scGetSetStruct);
@@ -2527,7 +2532,12 @@ static LONG SCardGetSetAttrib(SCARDHANDLE hCard, int command, DWORD dwAttrId,
 		 */
 		if (*pcbAttrLen < scGetSetStruct.cbAttrLen)
 		{
+			/* restrict the value of scGetSetStruct.cbAttrLen to avoid a
+			 * buffer overflow in the memcpy() bellow */
+			DWORD correct_value = scGetSetStruct.cbAttrLen;
 			scGetSetStruct.cbAttrLen = *pcbAttrLen;
+			*pcbAttrLen = correct_value;
+
 			scGetSetStruct.rv = SCARD_E_INSUFFICIENT_BUFFER;
 		}
 		else

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pcsclite/PCSC.git



More information about the Pcsclite-cvs-commit mailing list