security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00
Code Activity

scd: Fix possible NULL deref in apdu.c

Browse Source 
* scd/apdu.c (control_pcsc_direct): Take care of BUFLEN being NULL.
(control_pcsc_wrapped): Ditto.
--

pcsc_vendor_specific_init calls the above with BUFFER and BUFLEN as
NULL.

Reported by Stack 0.3:

  bug: anti-dce
  model: |
    control_pcsc.exit77:
    %retval.0.i.i76 = phi i32 [ %rc.0.i.i.i73, \
            %pcsc_error_to_sw.exit.i.i74 ], [ 0, %if.end.i.i75 ]
    %tobool198 = icmp ne i32 %retval.0.i.i76, 0, !dbg !728
    br i1 %tobool198, label %if.then199, label %if.end200, !dbg !728
  stack:
    - /home/wk/s/gnupg/scd/apdu.c:1882:0
  ncore: 1
  core:
    - /home/wk/s/gnupg/scd/apdu.c:1309:0
      - buffer overflow
This commit is contained in:
Werner Koch 2015-03-15 12:15:55 +01:00
parent 35db798c2d
commit ef0a3abf73
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
scd/apdu.c
View File

@ -1307,7 +1307,7 @@ control_pcsc_direct (int slot, pcsc_dword_t ioctl_code,
long err;
err = pcsc_control (reader_table[slot].pcsc.card, ioctl_code,
cntlbuf, len, buffer, *buflen, buflen);
cntlbuf, len, buffer, buflen? *buflen:0, buflen);
if (err)
{
log_error ("pcsc_control failed: %s (0x%lx)\n",
@ -1375,14 +1375,18 @@ control_pcsc_wrapped (int slot, pcsc_dword_t ioctl_code,
full_len = len;
n = *buflen < len ? *buflen : len;
if (buflen)
n = *buflen < len ? *buflen : len;
else
n = 0;
if ((i=readn (slotp->pcsc.rsp_fd, buffer, n, &len)) || len != n)
{
log_error ("error receiving PC/SC CONTROL response: %s\n",
i? strerror (errno) : "premature EOF");
goto command_failed;
}
*buflen = n;
if (buflen)
*buflen = n;
full_len -= len;
if (full_len)