Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
xen.5853
CVE-2017-5898-qemuu-usb-integer-overflow-in-emu...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2017-5898-qemuu-usb-integer-overflow-in-emulated_apdu_from_guest.patch of Package xen.5853
References: bsc#1024307 CVE-2017-5898 Subject: usb: ccid: check ccid apdu length From: Prasad J Pandit pjp@fedoraproject.org Fri Feb 3 00:52:28 2017 +0530 Date: Mon Feb 6 10:23:18 2017 +0100: Git: c7dfbf322595ded4e70b626bf83158a9f3807c6a CCID device emulator uses Application Protocol Data Units(APDU) to exchange command and responses to and from the host. The length in these units couldn't be greater than 65536. Add check to ensure the same. It'd also avoid potential integer overflow in emulated_apdu_from_guest. Reported-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 20170202192228.10847-1-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/dev-smartcard-reader.c =================================================================== --- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/usb/dev-smartcard-reader.c +++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/dev-smartcard-reader.c @@ -962,7 +962,7 @@ static void ccid_on_apdu_from_guest(USBC DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__, recv->hdr.bSeq, len); ccid_add_pending_answer(s, (CCID_Header *)recv); - if (s->card) { + if (s->card && len <= BULK_OUT_DATA_SIZE) { ccid_card_apdu_from_guest(s->card, recv->abData, len); } else { DPRINTF(s, D_WARN, "warning: discarded apdu\n");
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor