diff options
| author | Werner Koch <[email protected]> | 2015-03-15 11:15:55 +0000 |
|---|---|---|
| committer | NIIBE Yutaka <[email protected]> | 2015-04-15 07:06:06 +0000 |
| commit | b4ec909186d0150c835942754283ecc2bdf6e3e0 (patch) | |
| tree | 54be10c230b363122d9c5d3855c44b477cb324e0 | |
| parent | po: Update Japanese translation. (diff) | |
| download | gnupg-b4ec909186d0150c835942754283ecc2bdf6e3e0.tar.gz gnupg-b4ec909186d0150c835942754283ecc2bdf6e3e0.zip | |
scd: Fix possible NULL deref in apdu.c
* scd/apdu.c (control_pcsc_direct): Take care of BUFLEN being NULL.
(control_pcsc_wrapped): Ditto.
--
pcsc_vendor_specific_init calls the above with BUFFER and BUFLEN as
NULL.
Reported by Stack 0.3:
bug: anti-dce
model: |
control_pcsc.exit77:
%retval.0.i.i76 = phi i32 [ %rc.0.i.i.i73, \
%pcsc_error_to_sw.exit.i.i74 ], [ 0, %if.end.i.i75 ]
%tobool198 = icmp ne i32 %retval.0.i.i76, 0, !dbg !728
br i1 %tobool198, label %if.then199, label %if.end200, !dbg !728
stack:
- /home/wk/s/gnupg/scd/apdu.c:1882:0
ncore: 1
core:
- /home/wk/s/gnupg/scd/apdu.c:1309:0
- buffer overflow
(backported from 2.1 commit ef0a3abf7305133d071bf1a94a7f461082f9a9aa)
| -rw-r--r-- | scd/apdu.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/scd/apdu.c b/scd/apdu.c index 5ce7f946d..5fa66a848 100644 --- a/scd/apdu.c +++ b/scd/apdu.c @@ -1269,7 +1269,7 @@ control_pcsc_direct (int slot, pcsc_dword_t ioctl_code, long err; err = pcsc_control (reader_table[slot].pcsc.card, ioctl_code, - cntlbuf, len, buffer, *buflen, buflen); + cntlbuf, len, buffer, buflen? *buflen:0, buflen); if (err) { log_error ("pcsc_control failed: %s (0x%lx)\n", @@ -1337,14 +1337,18 @@ control_pcsc_wrapped (int slot, pcsc_dword_t ioctl_code, full_len = len; - n = *buflen < len ? *buflen : len; + if (buflen) + n = *buflen < len ? *buflen : len; + else + n = 0; if ((i=readn (slotp->pcsc.rsp_fd, buffer, n, &len)) || len != n) { log_error ("error receiving PC/SC CONTROL response: %s\n", i? strerror (errno) : "premature EOF"); goto command_failed; } - *buflen = n; + if (buflen) + *buflen = n; full_len -= len; if (full_len) |