opensc/opensc-CVE-2023-40661-5of12.patch

From dd138d0600a1acd7991989127f36827e5836b24e Mon Sep 17 00:00:00 2001
From: "Ingo Struck (git commits)" <gitlab@ingostruck.de>
Date: Thu, 16 Mar 2023 22:12:49 +0100
Subject: [PATCH] Fixed loop in sc_hsm_write_ef, handle offset into buf and
 into EF separately

---
 src/libopensc/card-sc-hsm.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/libopensc/card-sc-hsm.c b/src/libopensc/card-sc-hsm.c
index 1b707f08df..c100a87c2a 100644
--- a/src/libopensc/card-sc-hsm.c
+++ b/src/libopensc/card-sc-hsm.c
@@ -782,7 +782,7 @@ static int sc_hsm_logout(sc_card_t * card)
 }
 
 
-
+/* NOTE: idx is an offset into the card's file, not into buf */
 static int sc_hsm_read_binary(sc_card_t *card,
 			       unsigned int idx, u8 *buf, size_t count,
 			       unsigned long flags)
@@ -823,7 +823,7 @@ static int sc_hsm_read_binary(sc_card_t *card,
 }
 
 
-
+/* NOTE: idx is an offset into the card's file, not into buf */
 static int sc_hsm_write_ef(sc_card_t *card,
 			       int fid,
 			       unsigned int idx, const u8 *buf, size_t count)
@@ -848,7 +848,8 @@ static int sc_hsm_write_ef(sc_card_t *card,
 	// 8 bytes are required for T54(4) and T53(4)
 	size_t blk_size = card->max_send_size - 8;
 	size_t to_send = 0;
-	size_t offset = (size_t) idx;
+	size_t file_offset = (size_t) idx;
+	size_t offset = 0;
 	do {
 		len = 0;
 		to_send = bytes_left >= blk_size ? blk_size : bytes_left;
@@ -856,8 +857,8 @@ static int sc_hsm_write_ef(sc_card_t *card,
 		// ASN1 0x54 offset
 		*p++ = 0x54;
 		*p++ = 0x02;
-		*p++ = (offset >> 8) & 0xFF;
-		*p++ = offset & 0xFF;
+		*p++ = (file_offset >> 8) & 0xFF;
+		*p++ = file_offset & 0xFF;
 		// ASN1 0x53 to_send
 		*p++ = 0x53;
 		if (to_send < 128) {
@@ -890,6 +891,7 @@ static int sc_hsm_write_ef(sc_card_t *card,
 
 		bytes_left -= to_send;
 		offset += to_send;
+		file_offset += to_send;
 	} while (0 < bytes_left);
 
 err: