[Pcsclite-cvs-commit] r5370 - /trunk/PCSC/src/atrhandler.c

rousseau at users.alioth.debian.org rousseau at users.alioth.debian.org
Wed Nov 3 19:23:21 UTC 2010


Author: rousseau
Date: Wed Nov  3 19:23:09 2010
New Revision: 5370

URL: http://svn.debian.org/wsvn/pcsclite/?sc=1&rev=5370
Log:
ATRDecodeAtr(): avoids a buffer overflow with badly formed ATR like
3B FF 11 22 33 F0 11 22 33 F0 11 22 33 F0 11 22 33 F0 11 22 33 F0 11 22
33 F0 11 22 33 00 11 22 33

Thanks to Rafael Dominguez Vega for the bug report

Modified:
    trunk/PCSC/src/atrhandler.c

Modified: trunk/PCSC/src/atrhandler.c
URL: http://svn.debian.org/wsvn/pcsclite/trunk/PCSC/src/atrhandler.c?rev=5370&op=diff
==============================================================================
--- trunk/PCSC/src/atrhandler.c (original)
+++ trunk/PCSC/src/atrhandler.c Wed Nov  3 19:23:09 2010
@@ -232,7 +232,7 @@
 	psExtension->ATR.HistoryLength = K;
 	memcpy(psExtension->ATR.HistoryValue, &pucAtr[p], K);
 
-	p = p + K;
+	p += K;
 
 	/*
 	 * Check to see if TCK character is included It will be included if
@@ -240,6 +240,9 @@
 	 */
 	if (psExtension->CardCapabilities.AvailableProtocols & SCARD_PROTOCOL_T1)
 		TCK = pucAtr[p++];
+
+	if (p > MAX_ATR_SIZE)
+		return 0;	/** @retval 0 Maximum attribute size */
 
 	memcpy(psExtension->ATR.Value, pucAtr, p);
 	psExtension->ATR.Length = p;	/* modified from p-1 */




More information about the Pcsclite-cvs-commit mailing list