usb: ccid: check ccid apdu length

CCID device emulator uses Application Protocol Data Units(APDU) to exchange command and responses to and from the host. The length in these units couldn't be greater than 65536. Add check to ensure the same. It'd also avoid potential integer overflow in emulated_apdu_from_guest. Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 20170202192228.10847-1-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
author: Prasad J Pandit <pjp@fedoraproject.org> 2017-02-03 00:52:28 +0530
committer: Gerd Hoffmann <kraxel@redhat.com> 2017-02-06 10:23:18 +0100
commit: c7dfbf322595ded4e70b626bf83158a9f3807c6a (patch)
tree: 5f0691706df1e1f7ab93861fef7eff4c35fb28ca
parent: 96d87bdda3919bb16f754b3d3fd1227e1f38f13c (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
index 89e11b68c4..1325ea1659 100644
--- a/hw/usb/dev-smartcard-reader.c
+++ b/hw/usb/dev-smartcard-reader.c
@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
     DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
                 recv->hdr.bSeq, len);
     ccid_add_pending_answer(s, (CCID_Header *)recv);
-    if (s->card) {
+    if (s->card && len <= BULK_OUT_DATA_SIZE) {
         ccid_card_apdu_from_guest(s->card, recv->abData, len);
     } else {
         DPRINTF(s, D_WARN, "warning: discarded apdu\n");
author	Prasad J Pandit <pjp@fedoraproject.org>	2017-02-03 00:52:28 +0530
committer	Gerd Hoffmann <kraxel@redhat.com>	2017-02-06 10:23:18 +0100
commit	c7dfbf322595ded4e70b626bf83158a9f3807c6a (patch)
tree	5f0691706df1e1f7ab93861fef7eff4c35fb28ca
parent	96d87bdda3919bb16f754b3d3fd1227e1f38f13c (diff)