cac: Avoid OOB reads for inconsistent TLV structures
This commit is contained in:
parent
50b000047c
commit
79c0dbaa4e
|
@ -1555,8 +1555,15 @@ static int cac_parse_CCC(sc_card_t *card, cac_private_data_t *priv, u8 *tl,
|
||||||
for (; (tl < tl_end) && (val< val_end); val += len) {
|
for (; (tl < tl_end) && (val< val_end); val += len) {
|
||||||
/* get the tag and the length */
|
/* get the tag and the length */
|
||||||
u8 tag;
|
u8 tag;
|
||||||
if (sc_simpletlv_read_tag(&tl, tl_end - tl, &tag, &len) != SC_SUCCESS)
|
r = sc_simpletlv_read_tag(&tl, tl_end - tl, &tag, &len);
|
||||||
|
if (r != SC_SUCCESS && r != SC_ERROR_TLV_END_OF_CONTENTS) {
|
||||||
|
sc_log(card->ctx, "Failed to parse tag from buffer");
|
||||||
break;
|
break;
|
||||||
|
}
|
||||||
|
if (val + len > val_end) {
|
||||||
|
sc_log(card->ctx, "Invalid length %"SC_FORMAT_LEN_SIZE_T"u", len);
|
||||||
|
break;
|
||||||
|
}
|
||||||
switch (tag) {
|
switch (tag) {
|
||||||
case CAC_TAG_CUID:
|
case CAC_TAG_CUID:
|
||||||
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,"TAG:CUID");
|
sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,"TAG:CUID");
|
||||||
|
|
Loading…
Reference in New Issue