45 lines
1.7 KiB
Diff
45 lines
1.7 KiB
Diff
|
Fix CVE-2017-5898 (integer overflow in emulated_apdu_from_guest):
|
||
|
|
||
|
http://seclists.org/oss-sec/2017/q1/328
|
||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5898
|
||
|
|
||
|
Patch copied from upstream source repository:
|
||
|
|
||
|
http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a
|
||
|
|
||
|
From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
|
||
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||
|
Date: Fri, 3 Feb 2017 00:52:28 +0530
|
||
|
Subject: [PATCH] usb: ccid: check ccid apdu length
|
||
|
|
||
|
CCID device emulator uses Application Protocol Data Units(APDU)
|
||
|
to exchange command and responses to and from the host.
|
||
|
The length in these units couldn't be greater than 65536. Add
|
||
|
check to ensure the same. It'd also avoid potential integer
|
||
|
overflow in emulated_apdu_from_guest.
|
||
|
|
||
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||
|
Message-id: 20170202192228.10847-1-ppandit@redhat.com
|
||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||
|
---
|
||
|
hw/usb/dev-smartcard-reader.c | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
|
||
|
index 89e11b68c4..1325ea1659 100644
|
||
|
--- a/hw/usb/dev-smartcard-reader.c
|
||
|
+++ b/hw/usb/dev-smartcard-reader.c
|
||
|
@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
|
||
|
DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
|
||
|
recv->hdr.bSeq, len);
|
||
|
ccid_add_pending_answer(s, (CCID_Header *)recv);
|
||
|
- if (s->card) {
|
||
|
+ if (s->card && len <= BULK_OUT_DATA_SIZE) {
|
||
|
ccid_card_apdu_from_guest(s->card, recv->abData, len);
|
||
|
} else {
|
||
|
DPRINTF(s, D_WARN, "warning: discarded apdu\n");
|
||
|
--
|
||
|
2.11.1
|
||
|
|