[Pcsclite-muscle] libccid IFDHControl() / CmdEscape() might truncate reader response

Maximilian Stein maximilian.stein
Fri Feb 17 11:34:02 PST 2017

Hello again,

one thing I've noticed while analysing the SCardControl() code is, that
the libccid IFD handler might silently truncate the reader response, if
the RxBuffer is not large enough. In fact it is the CmdEscape() function
that does this. But it is used, amongst others, by IFDHControl() in some
cases (see commands.c:1008):

    /* copy the response */
    length_out = dw2i(cmd_out, 1);
    if (length_out > *RxLength)
        length_out = *RxLength;
    *RxLength = length_out;
    memcpy(RxBuffer, &cmd_out[10], length_out);

While other control calls for the reader (e.g. PIN handling) in
IFDHControl() are handled via CCID_Transmit/CCID_Receive which does

    length = dw2i(cmd, 1);
    if (length <= *rx_length)
            *rx_length = length;
            DEBUG_CRITICAL2("overrun by %d bytes", length - *rx_length);
            length = *rx_length;
            return_value = IFD_ERROR_INSUFFICIENT_BUFFER;
        memcpy(rx_buffer, cmd+10, length);

Is this intended? If so, the behaviour of IFDHControl() is inconsistent
regarding the handling of too small return buffers depending on which
control code is used. Another question is, if it is intended that the
truncated response is delivered to the client together with the
INSUFFICIENT_BUFFER error. The code in CCID_Receive looks a bit like it...

Kind regards
Maximilian Stein

More information about the pcsclite-muscle mailing list