9ae3a8
From c69bcffde2abc36576ff8b9d60f721e1261fec32 Mon Sep 17 00:00:00 2001
9ae3a8
From: Gerd Hoffmann <kraxel@redhat.com>
9ae3a8
Date: Tue, 14 Mar 2017 08:52:53 +0100
9ae3a8
Subject: [PATCH 20/24] usb: ccid: check ccid apdu length
9ae3a8
9ae3a8
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
9ae3a8
Message-id: <1489481576-26911-2-git-send-email-kraxel@redhat.com>
9ae3a8
Patchwork-id: 74286
9ae3a8
O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/4] usb: ccid: check ccid apdu length
9ae3a8
Bugzilla: 1419818
9ae3a8
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
9ae3a8
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
9ae3a8
9ae3a8
From: Prasad J Pandit <pjp@fedoraproject.org>
9ae3a8
9ae3a8
CCID device emulator uses Application Protocol Data Units(APDU)
9ae3a8
to exchange command and responses to and from the host.
9ae3a8
The length in these units couldn't be greater than 65536. Add
9ae3a8
check to ensure the same. It'd also avoid potential integer
9ae3a8
overflow in emulated_apdu_from_guest.
9ae3a8
9ae3a8
Reported-by: Li Qiang <liqiang6-s@360.cn>
9ae3a8
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
9ae3a8
Message-id: 20170202192228.10847-1-ppandit@redhat.com
9ae3a8
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
9ae3a8
(cherry picked from commit c7dfbf322595ded4e70b626bf83158a9f3807c6a)
9ae3a8
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
9ae3a8
---
9ae3a8
 hw/usb/dev-smartcard-reader.c | 2 +-
9ae3a8
 1 file changed, 1 insertion(+), 1 deletion(-)
9ae3a8
9ae3a8
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
9ae3a8
index 0e666e1..0e0b363 100644
9ae3a8
--- a/hw/usb/dev-smartcard-reader.c
9ae3a8
+++ b/hw/usb/dev-smartcard-reader.c
9ae3a8
@@ -965,7 +965,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
9ae3a8
     DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
9ae3a8
                 recv->hdr.bSeq, len);
9ae3a8
     ccid_add_pending_answer(s, (CCID_Header *)recv);
9ae3a8
-    if (s->card) {
9ae3a8
+    if (s->card && len <= BULK_OUT_DATA_SIZE) {
9ae3a8
         ccid_card_apdu_from_guest(s->card, recv->abData, len);
9ae3a8
     } else {
9ae3a8
         DPRINTF(s, D_WARN, "warning: discarded apdu\n");
9ae3a8
-- 
9ae3a8
1.8.3.1
9ae3a8