hw/ccid-card-passthru.c · 32fea4025bfb80f2dbc5c3ce415703af28d85f63 · Anton / libtcg

Nov 28, 2011

ccid: Fix buffer overrun in handling of VSC_ATR message · 7e62255a

Markus Armbruster authored Nov 28, 2011



ATR size exceeding the limit is diagnosed, but then we merrily use it
anyway, overrunning card->atr[].

The message is read from a character device.  Obvious security
implications unless the other end of the character device is trusted.

Spotted by Coverity.  CVE-2011-4111.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

7e62255a

ccid: Fix buffer overrun in handling of VSC_ATR message

Markus Armbruster authored Nov 28, 2011



ATR size exceeding the limit is diagnosed, but then we merrily use it
anyway, overrunning card->atr[].

The message is read from a character device.  Obvious security
implications unless the other end of the character device is trusted.

Spotted by Coverity.  CVE-2011-4111.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>