SCardControl() may return SCARD_E_INSUFFICIENT_BUFFER

SCardControl() now correctly returns SCARD_E_INSUFFICIENT_BUFFER when pbRecvBuffer is not big enough to receive the card response. The CCID driver does the check and correctly and returned CM_IOCTL_GET_FEATURE_REQUEST in such a case but not all IFD Handler may be smart enough. This change is similar to the same change for SCardTransmit() done in 8eb9ea1 (29 mai 2015) Thanks to Maximilian Stein for the patch "[Pcsclite-muscle] SCardControl() should return SCARD_E_INSUFFICIENT_BUFFER similar to SCardTransmit()" http://lists.alioth.debian.org/pipermail/pcsclite-muscle/Week-of-Mon-20170213/000815.html
LudovicRousseau · Feb 28, 2017 · 09cf6c7 · 09cf6c7
1 parent 7c232a1
commit 09cf6c7
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/src/winscard_clnt.c b/src/winscard_clnt.c
@@ -2178,7 +2178,7 @@ LONG SCardGetStatusChange(SCARDCONTEXT hContext, DWORD dwTimeout,
  *
  * @return Error code.
  * @retval SCARD_S_SUCCESS Successful (\ref SCARD_S_SUCCESS)
- * @retval SCARD_E_INSUFFICIENT_BUFFER \p cbSendLength or \p cbRecvLength are too big (\ref SCARD_E_INSUFFICIENT_BUFFER)
+ * @retval SCARD_E_INSUFFICIENT_BUFFER \p cbRecvLength was not large enough for the reader response. The expected size is now in \p lpBytesReturned (\ref SCARD_E_INSUFFICIENT_BUFFER)
  * @retval SCARD_E_INVALID_HANDLE Invalid \p hCard handle (\ref SCARD_E_INVALID_HANDLE)
  * @retval SCARD_E_INVALID_PARAMETER \p pbSendBuffer is NULL or \p cbSendLength is null and the IFDHandler is version 2.0 (without \p dwControlCode) (\ref SCARD_E_INVALID_PARAMETER)
  * @retval SCARD_E_INVALID_VALUE Invalid value was presented (\ref SCARD_E_INVALID_VALUE)

diff --git a/src/winscard_svc.c b/src/winscard_svc.c
@@ -715,9 +715,15 @@ static void ContextThread(LPVOID newContext)
 
 				ctStr.rv = SCardControl(ctStr.hCard, ctStr.dwControlCode,
 					pbSendBuffer, ctStr.cbSendLength,
-					pbRecvBuffer, ctStr.cbRecvLength,
+					pbRecvBuffer, sizeof pbRecvBuffer,
 					&dwBytesReturned);
 
+				if (dwBytesReturned > ctStr.cbRecvLength)
+					/* The client buffer is not large enough.
+					 * The pbRecvBuffer buffer will NOT be sent a few
+					 * lines bellow. So no buffer overflow is expected. */
+					ctStr.rv = SCARD_E_INSUFFICIENT_BUFFER;
+
 				ctStr.dwBytesReturned = dwBytesReturned;
 
 				WRITE_BODY(ctStr);