pkgsrc/security/pcsc-lite/patches/patch-ac

$NetBSD: patch-ac,v 1.5 2010/12/17 17:00:35 shannonjr Exp $

--- src/atrhandler.c.orig	2009-07-28 20:57:07.000000000 +0000
+++ src/atrhandler.c
@@ -239,6 +239,13 @@ short ATRDecodeAtr(PSMARTCARD_EXTENSION 
 	if (psExtension->CardCapabilities.AvailableProtocols & SCARD_PROTOCOL_T1)
 		TCK = pucAtr[p++];
 
+        /*
+	 * The following 2 lines were backported from PCSC-lite version 1.6.6
+         * to correct buffer overflow vulnerability.
+         */
+	if (p > MAX_ATR_SIZE)
+                return 0;       /** @retval 0 Maximum attribute size */
+
 	memcpy(psExtension->ATR.Value, pucAtr, p);
 	psExtension->ATR.Length = p;	/* modified from p-1 */
Backported security fix from Version 1.6.6 of pcsc-lite. The fix bounds the value of a pointer, prior to a memcpy(), to prevent a buffer overflow. 2010-12-17 18:00:35 +01:00			$NetBSD: patch-ac,v 1.5 2010/12/17 17:00:35 shannonjr Exp $

			`--- src/atrhandler.c.orig 2009-07-28 20:57:07.000000000 +0000`
			`+++ src/atrhandler.c`
			`@@ -239,6 +239,13 @@ short ATRDecodeAtr(PSMARTCARD_EXTENSION`
			`if (psExtension->CardCapabilities.AvailableProtocols & SCARD_PROTOCOL_T1)`
			`TCK = pucAtr[p++];`

			`+ /*`
			`+ * The following 2 lines were backported from PCSC-lite version 1.6.6`
			`+ * to correct buffer overflow vulnerability.`
			`+ */`
			`+ if (p > MAX_ATR_SIZE)`
			`+ return 0; /** @retval 0 Maximum attribute size */`
			`+`
			`memcpy(psExtension->ATR.Value, pucAtr, p);`
			`psExtension->ATR.Length = p; /* modified from p-1 */`