pcsc-lite/0002-Fix-a-hang-in-SCardTransmit.patch

From 38dfe5c1f474db519e1f7e31cf714ba5d4c6cfa4 Mon Sep 17 00:00:00 2001
From: Ludovic Rousseau <ludovic.rousseau@free.fr>
Date: Wed, 5 Aug 2020 18:57:30 +0200
Subject: [PATCH 02/13] Fix a hang in SCardTransmit()

In some special conditions it is possible to make SCardTransmit() to
hang forever in pcscd and generates a denial of service.

I was able to reproduce the problem using a sample C code.

Thanks to Maksim Ivanov for the bug report
"[Pcsclite-muscle] Potential hang in SCardTransmit"
http://lists.infradead.org/pipermail/pcsclite-muscle/2020-July/001096.html

" Hello,

It seems that there's (at least half-hypothetical) scenario when
SCardTransmit may hang.

The combination is:
the service's |readerState| is (SCARD_PRESENT | SCARD_POWERED |
SCARD_NEGOTIABLE);
the service's |cardProtocol| is SCARD_PROTOCOL_UNDEFINED (right after
power-up);
the caller's |pioSendPci->dwProtocol| is SCARD_PROTOCOL_ANY_OLD.

In that case, the hang happens in the loop that attempts to find the
highest bit in the |cardProtocol| value; it doesn't handle the case
when the latter is zero:
https://salsa.debian.org/rousseau/PCSC/-/blob/467df10d439f6d739cd48a51f2b3dd543b1a64ce/src/winscard.c#L1583

P.S. Sorry if I misunderstood something and this case can never occur
in practice.

Regards,
Maksim "
---
 src/winscard.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/winscard.c b/src/winscard.c
index 9f24cd7..3b88554 100644
--- a/src/winscard.c
+++ b/src/winscard.c
@@ -1580,7 +1580,7 @@ LONG SCardTransmit(SCARDHANDLE hCard, const SCARD_IO_REQUEST *pioSendPci,
 		unsigned long i;
 		unsigned long prot = rContext->readerState->cardProtocol;
 
-		for (i = 0 ; prot != 1 ; i++)
+		for (i = 0 ; prot != 1 && i < 16; i++)
 			prot >>= 1;
 
 		sSendPci.Protocol = i;
-- 
1.8.3.1