mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-08 12:44:23 +01:00
scd: Fix possible NULL deref in apdu.c
* scd/apdu.c (control_pcsc_direct): Take care of BUFLEN being NULL. (control_pcsc_wrapped): Ditto. -- pcsc_vendor_specific_init calls the above with BUFFER and BUFLEN as NULL. Reported by Stack 0.3: bug: anti-dce model: | control_pcsc.exit77: %retval.0.i.i76 = phi i32 [ %rc.0.i.i.i73, \ %pcsc_error_to_sw.exit.i.i74 ], [ 0, %if.end.i.i75 ] %tobool198 = icmp ne i32 %retval.0.i.i76, 0, !dbg !728 br i1 %tobool198, label %if.then199, label %if.end200, !dbg !728 stack: - /home/wk/s/gnupg/scd/apdu.c:1882:0 ncore: 1 core: - /home/wk/s/gnupg/scd/apdu.c:1309:0 - buffer overflow
This commit is contained in:
parent
35db798c2d
commit
ef0a3abf73
@ -1307,7 +1307,7 @@ control_pcsc_direct (int slot, pcsc_dword_t ioctl_code,
|
|||||||
long err;
|
long err;
|
||||||
|
|
||||||
err = pcsc_control (reader_table[slot].pcsc.card, ioctl_code,
|
err = pcsc_control (reader_table[slot].pcsc.card, ioctl_code,
|
||||||
cntlbuf, len, buffer, *buflen, buflen);
|
cntlbuf, len, buffer, buflen? *buflen:0, buflen);
|
||||||
if (err)
|
if (err)
|
||||||
{
|
{
|
||||||
log_error ("pcsc_control failed: %s (0x%lx)\n",
|
log_error ("pcsc_control failed: %s (0x%lx)\n",
|
||||||
@ -1375,13 +1375,17 @@ control_pcsc_wrapped (int slot, pcsc_dword_t ioctl_code,
|
|||||||
|
|
||||||
full_len = len;
|
full_len = len;
|
||||||
|
|
||||||
|
if (buflen)
|
||||||
n = *buflen < len ? *buflen : len;
|
n = *buflen < len ? *buflen : len;
|
||||||
|
else
|
||||||
|
n = 0;
|
||||||
if ((i=readn (slotp->pcsc.rsp_fd, buffer, n, &len)) || len != n)
|
if ((i=readn (slotp->pcsc.rsp_fd, buffer, n, &len)) || len != n)
|
||||||
{
|
{
|
||||||
log_error ("error receiving PC/SC CONTROL response: %s\n",
|
log_error ("error receiving PC/SC CONTROL response: %s\n",
|
||||||
i? strerror (errno) : "premature EOF");
|
i? strerror (errno) : "premature EOF");
|
||||||
goto command_failed;
|
goto command_failed;
|
||||||
}
|
}
|
||||||
|
if (buflen)
|
||||||
*buflen = n;
|
*buflen = n;
|
||||||
|
|
||||||
full_len -= len;
|
full_len -= len;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user