From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:40672) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RV6rf-00023P-ER for qemu-devel@nongnu.org; Mon, 28 Nov 2011 14:27:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1RV6re-0002cw-3Y for qemu-devel@nongnu.org; Mon, 28 Nov 2011 14:27:43 -0500 Received: from oxygen.pond.sub.org ([78.46.104.156]:37288) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1RV6rd-0002cd-VG for qemu-devel@nongnu.org; Mon, 28 Nov 2011 14:27:42 -0500 From: Markus Armbruster Date: Mon, 28 Nov 2011 20:27:37 +0100 Message-Id: <1322508457-25520-1-git-send-email-armbru@redhat.com> Subject: [Qemu-devel] [PATCH] ccid: Fix buffer overrun in handling of VSC_ATR message List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: alevy@redhat.com ATR size exceeding the limit is diagnosed, but then we merrily use it anyway, overrunning card->atr[]. The message is read from a character device. Obvious security implications unless the other end of the character device is trusted. Spotted by Coverity. CVE-2011-4111. Signed-off-by: Markus Armbruster --- hw/ccid-card-passthru.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c index 2cbc81b..9f51c6c 100644 --- a/hw/ccid-card-passthru.c +++ b/hw/ccid-card-passthru.c @@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card, error_report("ATR size exceeds spec, ignoring"); ccid_card_vscard_send_error(card, scr_msg_header->reader_id, VSC_GENERAL_ERROR); + break; } memcpy(card->atr, data, scr_msg_header->length); card->atr_length = scr_msg_header->length; -- 1.7.6.4