Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
" Apparently, the fuzzer found one more similar bug: T0ProcACK() can be called with the |proc_len| parameter equal to -1, leading to stack-buffer-overflow. The stack trace is: #1 0x56eee7 in T0ProcACK /ssd/ccid/src/fuzzer/../commands.c:1988:3 #2 0x56d1d1 in CmdXfrBlockCHAR_T0 /ssd/ccid/src/fuzzer/../commands.c:2253:20 #3 0x5754cc in IFDHTransmitToICC /ssd/ccid/src/fuzzer/../ifdhandler.c:1403:17 and the T0ProcACK() call is made from this line: https://salsa.debian.org/rousseau/CCID/-/blob/c122e4f38cc7d1ffdb1fc0cece49145930d4634a/src/commands.c#L2197 The negative |proc_len| is the result of this equation: |exp_len - *rcv_len|, with exp_len=2, *rcv_len=3 in the found scenario. " The problem has been found by an automatic buzzer, not by a real problem in the field. Thanks to Maksim Ivanov for the bug report
- Loading branch information