[Pcsclite-cvs-commit] CVS Drivers/ccid/src

[CVS User rousseau]

Update of /cvsroot/pcsclite/Drivers/ccid/src
In directory haydn:/tmp/cvs-serv7785

Modified Files:
	commands.c 
Log Message:
SecurePIN(), CCID_Transmit(), SetParameters(): check that the user
provided command is not too large (avoid a possible buffer overflow)


--- /cvsroot/pcsclite/Drivers/ccid/src/commands.c	2005/01/09 21:26:29	1.34
+++ /cvsroot/pcsclite/Drivers/ccid/src/commands.c	2005/01/09 21:29:57	1.35
@@ -18,7 +18,7 @@
 */
 
 /*
- * $Id: commands.c,v 1.34 2005/01/09 21:26:29 rousseau Exp $
+ * $Id: commands.c,v 1.35 2005/01/09 21:29:57 rousseau Exp $
  */
 
 #include <string.h>
@@ -173,6 +173,10 @@
 	cmd[9] = 0;
 	cmd[10] = 0;	/* bPINOperation: PIN Verification */
 
+	/* check that the command is not too large */
+	if (TxLength > 14+CMD_BUF_SIZE)
+		return IFD_NOT_SUPPORTED;
+
 	/* CCID data structure + APDU */
 	memcpy(cmd + 11, TxBuffer, TxLength);
 
@@ -425,6 +429,11 @@
 	cmd[7] = bBWI;	/* extend block waiting timeout */
 	cmd[8] = rx_length & 0xFF;	/* Expected length */
 	cmd[9] = (rx_length >> 8) & 0xFF;
+
+	/* check that the command is not too large */
+	if (tx_length > CMD_BUF_SIZE)
+		return IFD_NOT_SUPPORTED;
+
 	memcpy(cmd+10, tx_buffer, tx_length);
 
 	if (WritePort(reader_index, 10+tx_length, cmd) != STATUS_SUCCESS)
@@ -869,6 +878,11 @@
 	cmd[6] = (*ccid_descriptor->pbSeq)++;
 	cmd[7] = protocol;	/* bProtocolNum */
 	cmd[8] = cmd[9] = 0; /* RFU */
+
+	/* check that the command is not too large */
+	if (length > CMD_BUF_SIZE)
+		return IFD_NOT_SUPPORTED;
+
 	memcpy(cmd+10, buffer, length);
 
 	if (WritePort(reader_index, 10+length, cmd) != STATUS_SUCCESS)