From 1e1166661ef5c6776189aeed09b39f1a91e107e3 Mon Sep 17 00:00:00 2001
From: Ludovic Rousseau <ludovic.rousseau@free.fr>
Date: Sat, 8 Aug 2020 15:39:17 +0200
Subject: [PATCH 1/6] T0ProcACK: fix a potential problem

" Apparently, the fuzzer found one more similar bug: T0ProcACK() can be
called with the |proc_len| parameter equal to -1, leading to
stack-buffer-overflow.

The stack trace is:

    #1 0x56eee7 in T0ProcACK /ssd/ccid/src/fuzzer/../commands.c:1988:3
    #2 0x56d1d1 in CmdXfrBlockCHAR_T0 /ssd/ccid/src/fuzzer/../commands.c:2253:20
    #3 0x5754cc in IFDHTransmitToICC /ssd/ccid/src/fuzzer/../ifdhandler.c:1403:17

and the T0ProcACK() call is made from this line:
https://salsa.debian.org/rousseau/CCID/-/blob/c122e4f38cc7d1ffdb1fc0cece49145930d4634a/src/commands.c#L2197

The negative |proc_len| is the result of this equation: |exp_len -
*rcv_len|, with exp_len=2, *rcv_len=3 in the found scenario. "

The problem has been found by an automatic buzzer, not by a real problem
in the field.

Thanks to Maksim Ivanov for the bug report
---
 src/commands.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/commands.c b/src/commands.c
index 07bad44..c00c2d5 100644
--- a/src/commands.c
+++ b/src/commands.c
@@ -1852,6 +1852,9 @@ static RESPONSECODE T0ProcACK(unsigned int reader_index,
 
 	DEBUG_COMM2("Enter, is_rcv = %d", is_rcv);
 
+	if (proc_len < 0)
+		return IFD_COMMUNICATION_ERROR;
+
 	if (is_rcv == 1)
 	{	/* Receiving mode */
 		unsigned int remain_len;
-- 
1.8.3.1