ccid: Fix buffer overrun in handling of VSC_ATR message ATR size exceeding the limit is diagnosed, but then we merrily use it anyway, overrunning card->atr[]. The message is read from a character device. Obvious security implications unless the other end of the character device is trusted. Spotted by Coverity. CVE-2011-4111. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

commit: 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a [log] [tgz]
author: Markus Armbruster <armbru@redhat.com> Mon Nov 28 20:27:37 2011 +0100
committer: Anthony Liguori <aliguori@us.ibm.com> Mon Nov 28 16:20:53 2011 -0600
tree: 2e5ccd7d2f972ddb3cde2a977ab592f2a02f1f3e
parent: aea317aaa5d92ee8789f976ccf105be67d956f5e [diff]
diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
index 2cbc81b..9f51c6c 100644
--- a/hw/ccid-card-passthru.c
+++ b/hw/ccid-card-passthru.c

@@ -150,6 +150,7 @@
             error_report("ATR size exceeds spec, ignoring");
             ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
                                         VSC_GENERAL_ERROR);
+            break;
         }
         memcpy(card->atr, data, scr_msg_header->length);
         card->atr_length = scr_msg_header->length;
commit	7e62255a4b3e0e2ab84a3ec7398640e8ed58620a	[log] [tgz]
author	Markus Armbruster <armbru@redhat.com>	Mon Nov 28 20:27:37 2011 +0100
committer	Anthony Liguori <aliguori@us.ibm.com>	Mon Nov 28 16:20:53 2011 -0600
tree	2e5ccd7d2f972ddb3cde2a977ab592f2a02f1f3e
parent	aea317aaa5d92ee8789f976ccf105be67d956f5e [diff]