File opensc-added-bounds-checking.patch of Package opensc
From 83f45cda2af16b65264103fbe0394fd422f0120d Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Sun, 27 May 2018 00:38:37 +0200
Subject: [PATCH] Added bounds checking to sc_simpletlv_read_tag()
- Logic is identical to sc_asn1_read_tag()
- Fixes out of bounds access e.g. in cac_parse_CCC
---
src/libopensc/card-setcos.c | 14 +++++++-------
src/libopensc/errors.c | 2 ++
src/libopensc/errors.h | 2 ++
src/libopensc/simpletlv.c | 31 +++++++++++++++++++++----------
src/tools/util.c | 5 +++--
5 files changed, 35 insertions(+), 19 deletions(-)
Index: opensc-0.13.0/src/libopensc/card-setcos.c
===================================================================
--- opensc-0.13.0.orig/src/libopensc/card-setcos.c
+++ opensc-0.13.0/src/libopensc/card-setcos.c
@@ -788,8 +788,8 @@ static void parse_sec_attr_44(sc_file_t
/* Check all sub-AC definitions whitin the total AC */
while (len > 1) { /* minimum length = 2 */
- int iACLen = buf[iOffset] & 0x0F;
- if ((size_t) iACLen > len)
+ size_t iACLen = buf[iOffset] & 0x0F;
+ if (iACLen > len)
break;
iPinCount = -1; /* default no pin required */
@@ -797,8 +797,8 @@ static void parse_sec_attr_44(sc_file_t
if (buf[iOffset] & 0X80) { /* AC in adaptive coding */
/* Evaluates only the command-byte, not the optional P1/P2/Option bytes */
- int iParmLen = 1; /* command-byte is always present */
- int iKeyLen = 0; /* Encryption key is optional */
+ size_t iParmLen = 1; /* command-byte is always present */
+ size_t iKeyLen = 0; /* Encryption key is optional */
if (buf[iOffset] & 0x20) iKeyLen++;
if (buf[iOffset+1] & 0x40) iParmLen++;
@@ -809,7 +809,7 @@ static void parse_sec_attr_44(sc_file_t
/* Get KeyNumber if available */
if(iKeyLen) {
int iSC;
- if (len < 1+iACLen)
+ if (len < 1+(size_t)iACLen)
break;
iSC = buf[iOffset+iACLen];
@@ -830,7 +830,7 @@ static void parse_sec_attr_44(sc_file_t
/* Get PinNumber if available */
if (iACLen > (1+iParmLen+iKeyLen)) { /* check via total length if pin is present */
- if (len < 1+1+1+iParmLen)
+ if (len < 1+1+1+(size_t)iParmLen)
break;
iKeyRef = buf[iOffset+1+1+iParmLen]; /* PTL + AM-header + parameter-bytes */
iMethod = SC_AC_CHV;
@@ -873,7 +873,7 @@ static void parse_sec_attr_44(sc_file_t
if (buf[iOffset] & 0x20) {
int iSC;
- if (len < 1 + iACLen)
+ if (len < 1 + (size_t)iACLen)
break;
iSC = buf[iOffset + iACLen];
Index: opensc-0.13.0/src/tools/util.c
===================================================================
--- opensc-0.13.0.orig/src/tools/util.c
+++ opensc-0.13.0/src/tools/util.c
@@ -30,6 +30,7 @@
#endif
#include <ctype.h>
#include "util.h"
+#include "common/compat_strlcat.h"
int
is_string_valid_atr(const char *atr_str)
@@ -311,8 +312,8 @@ const char * util_acl_to_str(const sc_ac
strcpy(buf, "????");
break;
}
- strncat(line, buf, sizeof line);
- strncat(line, " ", sizeof line);
+ strlcat(line, buf, sizeof line);
+ strlcat(line, " ", sizeof line);
e = e->next;
}
line[(sizeof line)-1] = '\0'; /* make sure it's NUL terminated */