Skip to content

Commit

Permalink
CmdEscapeCheck(): signals buffer overflow
Browse files Browse the repository at this point in the history 
If the RxBuffer[] buffer is too small to contain the reader response
then IFD_ERROR_INSUFFICIENT_BUFFER is returned.

Before the patch the returned buffer was silently truncated and
IFD_SUCCESS was returned.

Thanks to Maximilian Stein for the bug report
"[Pcsclite-muscle] libccid IFDHControl() / CmdEscape() might truncate reader response"
http://lists.alioth.debian.org/pipermail/pcsclite-muscle/Week-of-Mon-20170213/000816.html
  • Loading branch information
@LudovicRousseau
LudovicRousseau committed Feb 28, 2017
1 parent 8c57dcc commit b15c8f9
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions src/commands.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1008,7 +1008,10 @@ RESPONSECODE CmdEscapeCheck(unsigned int reader_index,
/* copy the response */
length_out = dw2i(cmd_out, 1);
if (length_out > *RxLength)
{
length_out = *RxLength;
return_value = IFD_ERROR_INSUFFICIENT_BUFFER;
}
*RxLength = length_out;
memcpy(RxBuffer, &cmd_out[10], length_out);

Expand Down

0 comments on commit b15c8f9

Please sign in to comment.