70b09a5bad
Update to v2.8.0, including integration of SLE qemu package so we are "Factory First" again for SLE qemu. Includes some spec file tweaks/cleanups as well. A number of post v2.8.0 security fixes are also included. OBS-URL: https://build.opensuse.org/request/show/461715 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=329
36 lines
1.5 KiB
Diff
36 lines
1.5 KiB
Diff
From 424bd9dd9c5d6959304faead9e81a0f81435b7d4 Mon Sep 17 00:00:00 2001
|
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Fri, 3 Feb 2017 00:52:28 +0530
|
|
Subject: [PATCH] usb: ccid: check ccid apdu length
|
|
|
|
CCID device emulator uses Application Protocol Data Units(APDU)
|
|
to exchange command and responses to and from the host.
|
|
The length in these units couldn't be greater than 65536. Add
|
|
check to ensure the same. It'd also avoid potential integer
|
|
overflow in emulated_apdu_from_guest.
|
|
|
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Message-id: 20170202192228.10847-1-ppandit@redhat.com
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
(cherry picked from commit c7dfbf322595ded4e70b626bf83158a9f3807c6a)
|
|
[BR: CVE-2017-5898 BSC#1023907]
|
|
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
|
---
|
|
hw/usb/dev-smartcard-reader.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
|
|
index 89e11b68c4..1325ea1659 100644
|
|
--- a/hw/usb/dev-smartcard-reader.c
|
|
+++ b/hw/usb/dev-smartcard-reader.c
|
|
@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
|
|
DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
|
|
recv->hdr.bSeq, len);
|
|
ccid_add_pending_answer(s, (CCID_Header *)recv);
|
|
- if (s->card) {
|
|
+ if (s->card && len <= BULK_OUT_DATA_SIZE) {
|
|
ccid_card_apdu_from_guest(s->card, recv->abData, len);
|
|
} else {
|
|
DPRINTF(s, D_WARN, "warning: discarded apdu\n");
|