Patchwork [stable-0.15,01/36] ccid: Fix buffer overrun in handling of VSC_ATR message

mail settings
Submitter Andreas Färber
Date March 28, 2012, 12:52 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/149194/
State New
Headers show


Andreas Färber - March 28, 2012, 12:52 p.m.
From: Markus Armbruster <>

ATR size exceeding the limit is diagnosed, but then we merrily use it
anyway, overrunning card->atr[].

The message is read from a character device.  Obvious security
implications unless the other end of the character device is trusted.

Spotted by Coverity.  CVE-2011-4111.

Signed-off-by: Markus Armbruster <>
Signed-off-by: Anthony Liguori <>
(cherry picked from commit 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a)

Signed-off-by: Bruce Rogers <>
[AF: Fixes BNC#731086.]
Signed-off-by: Andreas Färber <>
 hw/ccid-card-passthru.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)


diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
index 28eb9d1..0505663 100644
--- a/hw/ccid-card-passthru.c
+++ b/hw/ccid-card-passthru.c
@@ -150,6 +150,7 @@  static void ccid_card_vscard_handle_message(PassthruState *card,
             error_report("ATR size exceeds spec, ignoring");
             ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
+            break;
         memcpy(card->atr, data, scr_msg_header->length);
         card->atr_length = scr_msg_header->length;