[Qemu-devel] [PATCH] ccid-card-passthru: check buffer size parameter

P J P Thu, 11 Oct 2018 04:43:39 -0700

From: Prasad J Pandit <p...@fedoraproject.org>

While reading virtual smart card data, if buffer 'size' is negative
it would lead to memory corruption errors. Add check to avoid it.


Reported-by: Arash TC <tohidi.ar...@gmail.com>
Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
---
 hw/usb/ccid-card-passthru.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/usb/ccid-card-passthru.c b/hw/usb/ccid-card-passthru.c
index 0a6c657228..63ed78f4c6 100644
--- a/hw/usb/ccid-card-passthru.c
+++ b/hw/usb/ccid-card-passthru.c
@@ -275,6 +275,7 @@ static void ccid_card_vscard_read(void *opaque, const 
uint8_t *buf, int size)
     PassthruState *card = opaque;
     VSCMsgHeader *hdr;
 
+    assert(0 <= size && size < VSCARD_IN_SIZE);
     if (card->vscard_in_pos + size > VSCARD_IN_SIZE) {
         error_report("no room for data: pos %u +  size %d > %" PRId64 "."
                      " dropping connection.",
-- 
2.17.1

[Qemu-devel] [PATCH] ccid-card-passthru: check buffer size parameter

Reply via email to