rpms / qemu

Clone
Source Code
GIT

Blame 0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch

el4 el5 el6 eln epel7 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fc6 main private-bonzini-demo private-bonzini-demo-f20 private-bonzini-el6 private-bonzini-mpath private-bonzini-tcmalloc private-ehabkost-fixing-exclusivearch private-glommer-merge rawhide
  1.   f16
  2.   0200-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-messa.patch
Blob History Raw
cd9d161 
From 792733e8aa8565a0b49c80539d0bc7a0ac19aaff Mon Sep 17 00:00:00 2001
cd9d161 
From: Markus Armbruster <armbru@redhat.com>
cd9d161 
Date: Mon, 28 Nov 2011 20:27:37 +0100
cd9d161 
Subject: [PATCH] ccid: Fix buffer overrun in handling of VSC_ATR message
cd9d161 
MIME-Version: 1.0
cd9d161 
Content-Type: text/plain; charset=UTF-8
cd9d161 
Content-Transfer-Encoding: 8bit
cd9d161
cd9d161 
ATR size exceeding the limit is diagnosed, but then we merrily use it
cd9d161 
anyway, overrunning card->atr[].
cd9d161
cd9d161 
The message is read from a character device.  Obvious security
cd9d161 
implications unless the other end of the character device is trusted.
cd9d161
cd9d161 
Spotted by Coverity.  CVE-2011-4111.
cd9d161
cd9d161 
Signed-off-by: Markus Armbruster <armbru@redhat.com>
cd9d161 
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
cd9d161 
(cherry picked from commit 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a)
cd9d161
cd9d161 
Signed-off-by: Bruce Rogers <brogers@suse.com>
cd9d161 
[AF: Fixes BNC#731086.]
cd9d161 
Signed-off-by: Andreas Färber <afaerber@suse.de>
cd9d161 
---
cd9d161 
 hw/ccid-card-passthru.c | 1 +
cd9d161 
 1 file changed, 1 insertion(+)
cd9d161
cd9d161 
diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
cd9d161 
index 28eb9d1..0505663 100644
cd9d161 
--- a/hw/ccid-card-passthru.c
cd9d161 
+++ b/hw/ccid-card-passthru.c
cd9d161 
@@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card,
cd9d161 
             error_report("ATR size exceeds spec, ignoring");
cd9d161 
             ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
cd9d161 
                                         VSC_GENERAL_ERROR);
cd9d161 
+            break;
cd9d161 
         }
cd9d161 
         memcpy(card->atr, data, scr_msg_header->length);
cd9d161 
         card->atr_length = scr_msg_header->length;
cd9d161 
--
cd9d161 
1.7.11.2
cd9d161
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.