T0ProcACK: fix a potential problem

" Apparently, the fuzzer found one more similar bug: T0ProcACK() can be called with the |proc_len| parameter equal to -1, leading to stack-buffer-overflow. The stack trace is: #1 0x56eee7 in T0ProcACK /ssd/ccid/src/fuzzer/../commands.c:1988:3 #2 0x56d1d1 in CmdXfrBlockCHAR_T0 /ssd/ccid/src/fuzzer/../commands.c:2253:20 #3 0x5754cc in IFDHTransmitToICC /ssd/ccid/src/fuzzer/../ifdhandler.c:1403:17 and the T0ProcACK() call is made from this line: https://salsa.debian.org/rousseau/CCID/-/blob/c122e4f38cc7d1ffdb1fc0cece49145930d4634a/src/commands.c#L2197 The negative |proc_len| is the result of this equation: |exp_len - *rcv_len|, with exp_len=2, *rcv_len=3 in the found scenario. " The problem has been found by an automatic buzzer, not by a real problem in the field. Thanks to Maksim Ivanov for the bug report
LudovicRousseau · Aug 8, 2020 · 6c0bcf3 · 6c0bcf3
1 parent 913d37d
commit 6c0bcf3
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/commands.c b/src/commands.c
@@ -1855,6 +1855,9 @@ static RESPONSECODE T0ProcACK(unsigned int reader_index,
 
  DEBUG_COMM2("Enter, is_rcv = %d", is_rcv);
 
+ if (proc_len < 0)
+ return IFD_COMMUNICATION_ERROR;
+
  if (is_rcv == 1)
  { /* Receiving mode */
  unsigned int remain_len;