Cc'ing Paolo & Marc-André.
On 11/10/2018 13:24, P J P wrote:
> From: Prasad J Pandit <p...@fedoraproject.org>
>
> While reading virtual smart card data, if buffer 'size' is negative
> it would lead to memory corruption errors. Add check to avoid it.
The IOReadHandler does not have documentation.
typedef void IOReadHandler(void *opaque, const uint8_t *buf, int size);
Why is the 'size' argument signed? Does it makes sens to call it with a
negative value?
Thanks,
Phil.
>
> Reported-by: Arash TC <tohidi.ar...@gmail.com>
> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
> ---
> hw/usb/ccid-card-passthru.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/hw/usb/ccid-card-passthru.c b/hw/usb/ccid-card-passthru.c
> index 0a6c657228..63ed78f4c6 100644
> --- a/hw/usb/ccid-card-passthru.c
> +++ b/hw/usb/ccid-card-passthru.c
> @@ -275,6 +275,7 @@ static void ccid_card_vscard_read(void *opaque, const
> uint8_t *buf, int size)
> PassthruState *card = opaque;
> VSCMsgHeader *hdr;
>
> + assert(0 <= size && size < VSCARD_IN_SIZE);
> if (card->vscard_in_pos + size > VSCARD_IN_SIZE) {
> error_report("no room for data: pos %u + size %d > %" PRId64 "."
> " dropping connection.",
>
