commit fdb9e903eb124b6b18a5a9350a26eceb775585bc Author: Veronika Hanulíková Date: Tue Jul 16 14:05:36 2024 +0200 cac: Check return value when selecting AID Thanks Matteo Marini for report https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8 fuzz_pkcs11/14 Index: opensc-0.22.0/src/libopensc/card-cac.c =================================================================== --- opensc-0.22.0.orig/src/libopensc/card-cac.c +++ opensc-0.22.0/src/libopensc/card-cac.c @@ -1302,10 +1302,10 @@ static int cac_parse_aid(sc_card_t *card /* Call without OID set will just select the AID without subsequent * OID selection, which we need to figure out just now */ - cac_select_file_by_type(card, &new_object.path, NULL); + r = cac_select_file_by_type(card, &new_object.path, NULL); + LOG_TEST_RET(card->ctx, r, "Cannot select AID"); r = cac_get_properties(card, &prop); - if (r < 0) - return SC_ERROR_INTERNAL; + LOG_TEST_RET(card->ctx, r, "Cannot get CAC properties"); for (i = 0; i < prop.num_objects; i++) { /* don't fail just because we have more certs than we can support */ Index: opensc-0.22.0/src/libopensc/card-cardos.c =================================================================== --- opensc-0.22.0.orig/src/libopensc/card-cardos.c +++ opensc-0.22.0/src/libopensc/card-cardos.c @@ -1277,7 +1277,7 @@ cardos_lifecycle_get(sc_card_t *card, in LOG_TEST_RET(card->ctx, r, "Card returned error"); if (apdu.resplen < 1) { - LOG_TEST_RET(card->ctx, r, "Lifecycle byte not in response"); + LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Lifecycle byte not in response"); } r = SC_SUCCESS; Index: opensc-0.22.0/src/libopensc/card-jpki.c =================================================================== --- opensc-0.22.0.orig/src/libopensc/card-jpki.c +++ opensc-0.22.0/src/libopensc/card-jpki.c @@ -195,6 +195,8 @@ jpki_select_file(struct sc_card *card, u8 buf[4]; rc = sc_read_binary(card, 0, buf, 4, 0); LOG_TEST_RET(card->ctx, rc, "SW Check failed"); + if (rc < 4) + LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Received data too short"); file = sc_file_new(); if (!file) { LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);