usb-ccid: add check message size checks

author Gerd Hoffmann <kraxel@redhat.com>

Thu, 16 Feb 2017 13:13:39 +0000 (14:13 +0100)

committer Gerd Hoffmann <kraxel@redhat.com>

Tue, 21 Feb 2017 07:11:43 +0000 (08:11 +0100)
author Gerd Hoffmann <kraxel@redhat.com>
Thu, 16 Feb 2017 13:13:39 +0000 (14:13 +0100)
committer Gerd Hoffmann <kraxel@redhat.com>
Tue, 21 Feb 2017 07:11:43 +0000 (08:11 +0100)
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c

index 1acc1fb37a7cf5cfe3c88bfab3a0ee0070b7847b..7cd4ed0d17e3d391682ab2a94d3e0758dc82c5d9 100644 (file)
--- a/hw/usb/dev-smartcard-reader.c
+++ b/hw/usb/dev-smartcard-reader.c
@@ -1011,12 +1011,19 @@ static void ccid_handle_bulk_out(USBCCIDState *s, USBPacket *p)
      }
  
      ccid_header = (CCID_Header *)s->bulk_out_data;
-    if (p->iov.size == CCID_MAX_PACKET_SIZE) {
+    if ((s->bulk_out_pos - 10 < ccid_header->dwLength) &&
+        (p->iov.size == CCID_MAX_PACKET_SIZE)) {
          DPRINTF(s, D_VERBOSE,
-            "usb-ccid: bulk_in: expecting more packets (%zd/%d)\n",
-            p->iov.size, ccid_header->dwLength);
+                "usb-ccid: bulk_in: expecting more packets (%d/%d)\n",
+                s->bulk_out_pos - 10, ccid_header->dwLength);
          return;
      }
+    if (s->bulk_out_pos - 10 != ccid_header->dwLength) {
+        DPRINTF(s, 1,
+                "usb-ccid: bulk_in: message size mismatch (got %d, expected %d)\n",
+                s->bulk_out_pos - 10, ccid_header->dwLength);
+        goto err;
+    }
  
      DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__,
              ccid_header->bMessageType,
author	Gerd Hoffmann <kraxel@redhat.com>
	Thu, 16 Feb 2017 13:13:39 +0000 (14:13 +0100)
committer	Gerd Hoffmann <kraxel@redhat.com>
	Tue, 21 Feb 2017 07:11:43 +0000 (08:11 +0100)