[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] ccid-card-passthru: check buffer size parameter
From: |
Philippe Mathieu-Daudé |
Subject: |
Re: [Qemu-devel] [PATCH] ccid-card-passthru: check buffer size parameter |
Date: |
Thu, 11 Oct 2018 13:58:36 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0 |
Cc'ing Paolo & Marc-André.
On 11/10/2018 13:24, P J P wrote:
> From: Prasad J Pandit <address@hidden>
>
> While reading virtual smart card data, if buffer 'size' is negative
> it would lead to memory corruption errors. Add check to avoid it.
The IOReadHandler does not have documentation.
typedef void IOReadHandler(void *opaque, const uint8_t *buf, int size);
Why is the 'size' argument signed? Does it makes sens to call it with a
negative value?
Thanks,
Phil.
>
> Reported-by: Arash TC <address@hidden>
> Signed-off-by: Prasad J Pandit <address@hidden>
> ---
> hw/usb/ccid-card-passthru.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/hw/usb/ccid-card-passthru.c b/hw/usb/ccid-card-passthru.c
> index 0a6c657228..63ed78f4c6 100644
> --- a/hw/usb/ccid-card-passthru.c
> +++ b/hw/usb/ccid-card-passthru.c
> @@ -275,6 +275,7 @@ static void ccid_card_vscard_read(void *opaque, const
> uint8_t *buf, int size)
> PassthruState *card = opaque;
> VSCMsgHeader *hdr;
>
> + assert(0 <= size && size < VSCARD_IN_SIZE);
> if (card->vscard_in_pos + size > VSCARD_IN_SIZE) {
> error_report("no room for data: pos %u + size %d > %" PRId64 "."
> " dropping connection.",
>