[Pcsclite-muscle] libccid IFDHControl() / CmdEscape() might truncate reader response

Maximilian Stein maximilian.stein at secunet.com
Fri Feb 17 19:34:02 UTC 2017


Hello again,

one thing I've noticed while analysing the SCardControl() code is, that
the libccid IFD handler might silently truncate the reader response, if
the RxBuffer is not large enough. In fact it is the CmdEscape() function
that does this. But it is used, amongst others, by IFDHControl() in some
cases (see commands.c:1008):

    /* copy the response */
    length_out = dw2i(cmd_out, 1);
    if (length_out > *RxLength)
        length_out = *RxLength;
    *RxLength = length_out;
    memcpy(RxBuffer, &cmd_out[10], length_out);

While other control calls for the reader (e.g. PIN handling) in
IFDHControl() are handled via CCID_Transmit/CCID_Receive which does
(commands.c:1567):

    length = dw2i(cmd, 1);
    if (length <= *rx_length)
            *rx_length = length;
    else
    {
            DEBUG_CRITICAL2("overrun by %d bytes", length - *rx_length);
            length = *rx_length;
            return_value = IFD_ERROR_INSUFFICIENT_BUFFER;
    }
[...]
        memcpy(rx_buffer, cmd+10, length);

Is this intended? If so, the behaviour of IFDHControl() is inconsistent
regarding the handling of too small return buffers depending on which
control code is used. Another question is, if it is intended that the
truncated response is delivered to the client together with the
INSUFFICIENT_BUFFER error. The code in CCID_Receive looks a bit like it...


Kind regards
Maximilian Stein



More information about the Pcsclite-muscle mailing list