[Pcsclite-muscle] Possible data truncation on receive in 1.8.14

Marcin Cieslak saper
Fri Nov 13 04:40:17 PST 2015


My setup (FreeBSD+OmniKey 4040 PCMCIA+OpenCT IFD) started
having trouble after 1.8.14 upgrade (truncated responses
from the card terminal that didn't end with 90 00). 

The problem turns out is that the receive buffer size
is now 65548 bytes on my platform,
and my configuration seem to return only
12 bytes with such a large buffer.

More details:


The patch is attached:


and also inline below.

All the best,


>From 31d3c31514a3da27b117bcfc5c0de781ed2ea1fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcin=20Cie=C5=9Blak?= <saper at saper.info>
Date: Fri, 13 Nov 2015 12:30:05 +0100
Subject: [PATCH] SCardTransmit: Use supplied receive buffer length

After 8eb9ea1b354b050f997d003cf3b0c5b56f29f9f7
the receive buffer size is always
set to sizeof pbRecvBuffer, even if the client
supplies a smaller size.

For Ominkey 4040 PCMCIA connected via OpenCT
ifdhandler this value (65548) is too large, and
returns only 12 bytes of data.

Since we already checked for the buffer overflow
above, it is safe to use a client-supplied
receive buffer size.

Additionally log the receive buffer size used
in SCardTransmit.
 src/winscard.c     | 1 +
 src/winscard_svc.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/winscard.c b/src/winscard.c
index 67eb9b0..e18e5f5 100644
--- a/src/winscard.c
+++ b/src/winscard.c
@@ -1604,6 +1604,7 @@ LONG SCardTransmit(SCARDHANDLE hCard, const SCARD_IO_REQUEST *pioSendPci,
 	/* the protocol number is decoded a few lines above */
 	Log2(PCSC_LOG_DEBUG, "Send Protocol: T=%ld", sSendPci.Protocol);
+	Log2(PCSC_LOG_DEBUG, "Rcv buffer size: %ld", dwRxLength);
 	tempRxLength = dwRxLength;
diff --git a/src/winscard_svc.c b/src/winscard_svc.c
index 75e4c8e..35607a4 100644
--- a/src/winscard_svc.c
+++ b/src/winscard_svc.c
@@ -636,7 +636,7 @@ static void ContextThread(LPVOID newContext)
 				ioSendPci.cbPciLength = trStr.ioSendPciLength;
 				ioRecvPci.dwProtocol = trStr.ioRecvPciProtocol;
 				ioRecvPci.cbPciLength = trStr.ioRecvPciLength;
-				cbRecvLength = sizeof pbRecvBuffer;
+				cbRecvLength = trStr.pcbRecvLength;
 				trStr.rv = SCardTransmit(trStr.hCard, &ioSendPci,
 					pbSendBuffer, trStr.cbSendLength, &ioRecvPci,

More information about the pcsclite-muscle mailing list