[Pcsclite-muscle] Potential hang in SCardTransmit
Ludovic Rousseau
ludovic.rousseau at gmail.com
Wed Aug 5 13:04:24 EDT 2020
Le mar. 28 juil. 2020 à 21:35, Maksim Ivanov <emaxx at google.com> a écrit :
>
> Hello,
Hello Maksim,
> It seems that there's (at least half-hypothetical) scenario when
> SCardTransmit may hang.
>
> The combination is:
> the service's |readerState| is (SCARD_PRESENT | SCARD_POWERED |
> SCARD_NEGOTIABLE);
> the service's |cardProtocol| is SCARD_PROTOCOL_UNDEFINED (right after power-up);
> the caller's |pioSendPci->dwProtocol| is SCARD_PROTOCOL_ANY_OLD.
>
> In that case, the hang happens in the loop that attempts to find the
> highest bit in the |cardProtocol| value; it doesn't handle the case
> when the latter is zero:
> https://salsa.debian.org/rousseau/PCSC/-/blob/467df10d439f6d739cd48a51f2b3dd543b1a64ce/src/winscard.c#L1583
>
> P.S. Sorry if I misunderstood something and this case can never occur
> in practice.
The problem DOES occur in practice.
I was able to trigger the bug using a very short sample code.
I don't know if it is a good idea to publish the exploit code.
I fixed the problem in
https://salsa.debian.org/rousseau/PCSC/-/commit/38dfe5c1f474db519e1f7e31cf714ba5d4c6cfa4
Thanks
--
Dr. Ludovic Rousseau
More information about the pcsclite-muscle
mailing list