From 79c0dbaa4e47ad8d9d43b327f5cc34c2f31dd873 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 9 Jul 2018 14:13:41 +0200
Subject: [PATCH] cac: Avoid OOB reads for inconsistent TLV structures

---
 src/libopensc/card-cac.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
index 4e971eed..eeab07e4 100644
--- a/src/libopensc/card-cac.c
+++ b/src/libopensc/card-cac.c
@@ -1555,8 +1555,15 @@ static int cac_parse_CCC(sc_card_t *card, cac_private_data_t *priv, u8 *tl,
 	for (; (tl < tl_end) && (val< val_end); val += len) {
 		/* get the tag and the length */
 		u8 tag;
-		if (sc_simpletlv_read_tag(&tl, tl_end - tl, &tag, &len) != SC_SUCCESS)
+		r = sc_simpletlv_read_tag(&tl, tl_end - tl, &tag, &len);
+		if (r != SC_SUCCESS && r != SC_ERROR_TLV_END_OF_CONTENTS) {
+			sc_log(card->ctx, "Failed to parse tag from buffer");
 			break;
+		}
+		if (val + len > val_end) {
+			sc_log(card->ctx, "Invalid length %"SC_FORMAT_LEN_SIZE_T"u", len);
+			break;
+		}
 		switch (tag) {
 		case CAC_TAG_CUID:
 			sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,"TAG:CUID");