From 38dfe5c1f474db519e1f7e31cf714ba5d4c6cfa4 Mon Sep 17 00:00:00 2001 From: Ludovic Rousseau Date: Wed, 5 Aug 2020 18:57:30 +0200 Subject: [PATCH 02/13] Fix a hang in SCardTransmit() In some special conditions it is possible to make SCardTransmit() to hang forever in pcscd and generates a denial of service. I was able to reproduce the problem using a sample C code. Thanks to Maksim Ivanov for the bug report "[Pcsclite-muscle] Potential hang in SCardTransmit" http://lists.infradead.org/pipermail/pcsclite-muscle/2020-July/001096.html " Hello, It seems that there's (at least half-hypothetical) scenario when SCardTransmit may hang. The combination is: the service's |readerState| is (SCARD_PRESENT | SCARD_POWERED | SCARD_NEGOTIABLE); the service's |cardProtocol| is SCARD_PROTOCOL_UNDEFINED (right after power-up); the caller's |pioSendPci->dwProtocol| is SCARD_PROTOCOL_ANY_OLD. In that case, the hang happens in the loop that attempts to find the highest bit in the |cardProtocol| value; it doesn't handle the case when the latter is zero: https://salsa.debian.org/rousseau/PCSC/-/blob/467df10d439f6d739cd48a51f2b3dd543b1a64ce/src/winscard.c#L1583 P.S. Sorry if I misunderstood something and this case can never occur in practice. Regards, Maksim " --- src/winscard.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/winscard.c b/src/winscard.c index 9f24cd7..3b88554 100644 --- a/src/winscard.c +++ b/src/winscard.c @@ -1580,7 +1580,7 @@ LONG SCardTransmit(SCARDHANDLE hCard, const SCARD_IO_REQUEST *pioSendPci, unsigned long i; unsigned long prot = rContext->readerState->cardProtocol; - for (i = 0 ; prot != 1 ; i++) + for (i = 0 ; prot != 1 && i < 16; i++) prot >>= 1; sSendPci.Protocol = i; -- 1.8.3.1