[Pcsclite-cvs-commit] r5381 - /trunk/Drivers/ccid/src/ccid_serial.c
rousseau at users.alioth.debian.org
rousseau at users.alioth.debian.org
Fri Nov 5 22:42:17 UTC 2010
Author: rousseau
Date: Fri Nov 5 22:42:16 2010
New Revision: 5381
URL: http://svn.debian.org/wsvn/pcsclite/?sc=1&rev=5381
Log:
ReadSerial(): avoids a possible integer overflow if the CCID frame is
corrupted or malign.
Thanks to Rafael Dominguez Vega for the bug report
Modified:
trunk/Drivers/ccid/src/ccid_serial.c
Modified: trunk/Drivers/ccid/src/ccid_serial.c
URL: http://svn.debian.org/wsvn/pcsclite/trunk/Drivers/ccid/src/ccid_serial.c?rev=5381&op=diff
==============================================================================
--- trunk/Drivers/ccid/src/ccid_serial.c (original)
+++ trunk/Drivers/ccid/src/ccid_serial.c Fri Nov 5 22:42:16 2010
@@ -309,6 +309,12 @@
/* total frame size */
to_read = 10+dw2i(buffer, 1);
+
+ if ((to_read < 0) || (to_read > 0x20000))
+ {
+ DEBUG_CRITICAL2("Wrong value for frame size: %d", to_read);
+ return STATUS_COMM_ERROR;
+ }
DEBUG_COMM2("frame size: %d", to_read);
if ((rv = get_bytes(reader_index, buffer+5, to_read-5)) != STATUS_SUCCESS)
More information about the Pcsclite-cvs-commit
mailing list