[Pcsclite-cvs-commit] r5370 - /trunk/PCSC/src/atrhandler.c
rousseau at users.alioth.debian.org
rousseau at users.alioth.debian.org
Wed Nov 3 19:23:21 UTC 2010
Author: rousseau
Date: Wed Nov 3 19:23:09 2010
New Revision: 5370
URL: http://svn.debian.org/wsvn/pcsclite/?sc=1&rev=5370
Log:
ATRDecodeAtr(): avoids a buffer overflow with badly formed ATR like
3B FF 11 22 33 F0 11 22 33 F0 11 22 33 F0 11 22 33 F0 11 22 33 F0 11 22
33 F0 11 22 33 00 11 22 33
Thanks to Rafael Dominguez Vega for the bug report
Modified:
trunk/PCSC/src/atrhandler.c
Modified: trunk/PCSC/src/atrhandler.c
URL: http://svn.debian.org/wsvn/pcsclite/trunk/PCSC/src/atrhandler.c?rev=5370&op=diff
==============================================================================
--- trunk/PCSC/src/atrhandler.c (original)
+++ trunk/PCSC/src/atrhandler.c Wed Nov 3 19:23:09 2010
@@ -232,7 +232,7 @@
psExtension->ATR.HistoryLength = K;
memcpy(psExtension->ATR.HistoryValue, &pucAtr[p], K);
- p = p + K;
+ p += K;
/*
* Check to see if TCK character is included It will be included if
@@ -240,6 +240,9 @@
*/
if (psExtension->CardCapabilities.AvailableProtocols & SCARD_PROTOCOL_T1)
TCK = pucAtr[p++];
+
+ if (p > MAX_ATR_SIZE)
+ return 0; /** @retval 0 Maximum attribute size */
memcpy(psExtension->ATR.Value, pucAtr, p);
psExtension->ATR.Length = p; /* modified from p-1 */
More information about the Pcsclite-cvs-commit
mailing list