File CVE-2017-5898-qemuu-usb-integer-overflow-in-emu... of Package xen.5853

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2017-5898-qemuu-usb-integer-overflow-in-emulated_apdu_from_guest.patch of Package xen.5853

References: bsc#1024307 CVE-2017-5898

Subject: usb: ccid: check ccid apdu length
From: Prasad J Pandit pjp@fedoraproject.org Fri Feb 3 00:52:28 2017 +0530
Date: Mon Feb 6 10:23:18 2017 +0100:
Git: c7dfbf322595ded4e70b626bf83158a9f3807c6a

CCID device emulator uses Application Protocol Data Units(APDU)
to exchange command and responses to and from the host.
The length in these units couldn't be greater than 65536. Add
check to ensure the same. It'd also avoid potential integer
overflow in emulated_apdu_from_guest.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20170202192228.10847-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/dev-smartcard-reader.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/usb/dev-smartcard-reader.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/dev-smartcard-reader.c
@@ -962,7 +962,7 @@ static void ccid_on_apdu_from_guest(USBC
     DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
                 recv->hdr.bSeq, len);
     ccid_add_pending_answer(s, (CCID_Header *)recv);
-    if (s->card) {
+    if (s->card && len <= BULK_OUT_DATA_SIZE) {
         ccid_card_apdu_from_guest(s->card, recv->abData, len);
     } else {
         DPRINTF(s, D_WARN, "warning: discarded apdu\n");

Places

File CVE-2017-5898-qemuu-usb-integer-overflow-in-emulated_apdu_from_guest.patch of Package xen.5853

Places