bb02a0e9fc
backport some patches to fix some potential problems. Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
47 lines
1.5 KiB
Diff
47 lines
1.5 KiB
Diff
From 1e1166661ef5c6776189aeed09b39f1a91e107e3 Mon Sep 17 00:00:00 2001
|
|
From: Ludovic Rousseau <ludovic.rousseau@free.fr>
|
|
Date: Sat, 8 Aug 2020 15:39:17 +0200
|
|
Subject: [PATCH 1/6] T0ProcACK: fix a potential problem
|
|
|
|
" Apparently, the fuzzer found one more similar bug: T0ProcACK() can be
|
|
called with the |proc_len| parameter equal to -1, leading to
|
|
stack-buffer-overflow.
|
|
|
|
The stack trace is:
|
|
|
|
#1 0x56eee7 in T0ProcACK /ssd/ccid/src/fuzzer/../commands.c:1988:3
|
|
#2 0x56d1d1 in CmdXfrBlockCHAR_T0 /ssd/ccid/src/fuzzer/../commands.c:2253:20
|
|
#3 0x5754cc in IFDHTransmitToICC /ssd/ccid/src/fuzzer/../ifdhandler.c:1403:17
|
|
|
|
and the T0ProcACK() call is made from this line:
|
|
https://salsa.debian.org/rousseau/CCID/-/blob/c122e4f38cc7d1ffdb1fc0cece49145930d4634a/src/commands.c#L2197
|
|
|
|
The negative |proc_len| is the result of this equation: |exp_len -
|
|
*rcv_len|, with exp_len=2, *rcv_len=3 in the found scenario. "
|
|
|
|
The problem has been found by an automatic buzzer, not by a real problem
|
|
in the field.
|
|
|
|
Thanks to Maksim Ivanov for the bug report
|
|
---
|
|
src/commands.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/src/commands.c b/src/commands.c
|
|
index 07bad44..c00c2d5 100644
|
|
--- a/src/commands.c
|
|
+++ b/src/commands.c
|
|
@@ -1852,6 +1852,9 @@ static RESPONSECODE T0ProcACK(unsigned int reader_index,
|
|
|
|
DEBUG_COMM2("Enter, is_rcv = %d", is_rcv);
|
|
|
|
+ if (proc_len < 0)
|
|
+ return IFD_COMMUNICATION_ERROR;
|
|
+
|
|
if (is_rcv == 1)
|
|
{ /* Receiving mode */
|
|
unsigned int remain_len;
|
|
--
|
|
1.8.3.1
|
|
|