From: Markus Armbruster Date: Mon, 28 Nov 2011 19:27:37 +0000 (+0100) Subject: ccid: Fix buffer overrun in handling of VSC_ATR message X-Git-Tag: qemu-xen-4.3.0-rc1~1946 X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=7e62255a4b3e0e2ab84a3ec7398640e8ed58620a;p=qemu-upstream-4.3-testing.git ccid: Fix buffer overrun in handling of VSC_ATR message ATR size exceeding the limit is diagnosed, but then we merrily use it anyway, overrunning card->atr[]. The message is read from a character device. Obvious security implications unless the other end of the character device is trusted. Spotted by Coverity. CVE-2011-4111. Signed-off-by: Markus Armbruster Signed-off-by: Anthony Liguori --- diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c index 2cbc81b9f..9f51c6cb0 100644 --- a/hw/ccid-card-passthru.c +++ b/hw/ccid-card-passthru.c @@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card, error_report("ATR size exceeds spec, ignoring"); ccid_card_vscard_send_error(card, scr_msg_header->reader_id, VSC_GENERAL_ERROR); + break; } memcpy(card->atr, data, scr_msg_header->length); card->atr_length = scr_msg_header->length;