[Pcsclite-muscle] libccid IFDHControl() / CmdEscape() might truncate reader response
Ludovic Rousseau
ludovic.rousseau
Tue Feb 28 07:53:10 PST 2017
2017-02-17 20:34 GMT+01:00 Maximilian Stein <maximilian.stein at secunet.com>:
> Hello again,
>
Hello,
>
> one thing I've noticed while analysing the SCardControl() code is, that
> the libccid IFD handler might silently truncate the reader response, if
> the RxBuffer is not large enough. In fact it is the CmdEscape() function
> that does this. But it is used, amongst others, by IFDHControl() in some
> cases (see commands.c:1008):
>
> /* copy the response */
> length_out = dw2i(cmd_out, 1);
> if (length_out > *RxLength)
> length_out = *RxLength;
> *RxLength = length_out;
> memcpy(RxBuffer, &cmd_out[10], length_out);
>
> While other control calls for the reader (e.g. PIN handling) in
> IFDHControl() are handled via CCID_Transmit/CCID_Receive which does
> (commands.c:1567):
>
> length = dw2i(cmd, 1);
> if (length <= *rx_length)
> *rx_length = length;
> else
> {
> DEBUG_CRITICAL2("overrun by %d bytes", length - *rx_length);
> length = *rx_length;
> return_value = IFD_ERROR_INSUFFICIENT_BUFFER;
> }
> [...]
> memcpy(rx_buffer, cmd+10, length);
>
> Is this intended? If so, the behaviour of IFDHControl() is inconsistent
> regarding the handling of too small return buffers depending on which
> control code is used. Another question is, if it is intended that the
> truncated response is delivered to the client together with the
> INSUFFICIENT_BUFFER error. The code in CCID_Receive looks a bit like it...
>
You are right.
Now IFD_ERROR_INSUFFICIENT_BUFFER is returned. The truncation is no more
silent.
Fixed in
https://github.com/LudovicRousseau/CCID/commit/b15c8f96ca80005c3da024c031e9607051a9fe1a
Thanks
--
Dr. Ludovic Rousseau
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pcsclite-muscle/attachments/20170228/ba1f0fa1/attachment.html>
More information about the pcsclite-muscle
mailing list