dfb8478
From: Prasad J Pandit <pjp@fedoraproject.org>
dfb8478
Date: Fri, 3 Feb 2017 00:52:28 +0530
dfb8478
Subject: [PATCH] usb: ccid: check ccid apdu length
dfb8478
dfb8478
CCID device emulator uses Application Protocol Data Units(APDU)
dfb8478
to exchange command and responses to and from the host.
dfb8478
The length in these units couldn't be greater than 65536. Add
dfb8478
check to ensure the same. It'd also avoid potential integer
dfb8478
overflow in emulated_apdu_from_guest.
dfb8478
dfb8478
Reported-by: Li Qiang <liqiang6-s@360.cn>
dfb8478
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
dfb8478
Message-id: 20170202192228.10847-1-ppandit@redhat.com
dfb8478
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
dfb8478
(cherry picked from commit c7dfbf322595ded4e70b626bf83158a9f3807c6a)
dfb8478
---
dfb8478
 hw/usb/dev-smartcard-reader.c | 2 +-
dfb8478
 1 file changed, 1 insertion(+), 1 deletion(-)
dfb8478
dfb8478
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
dfb8478
index af4b851..fc32b00 100644
dfb8478
--- a/hw/usb/dev-smartcard-reader.c
dfb8478
+++ b/hw/usb/dev-smartcard-reader.c
dfb8478
@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
dfb8478
     DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
dfb8478
                 recv->hdr.bSeq, len);
dfb8478
     ccid_add_pending_answer(s, (CCID_Header *)recv);
dfb8478
-    if (s->card) {
dfb8478
+    if (s->card && len <= BULK_OUT_DATA_SIZE) {
dfb8478
         ccid_card_apdu_from_guest(s->card, recv->abData, len);
dfb8478
     } else {
dfb8478
         DPRINTF(s, D_WARN, "warning: discarded apdu\n");