looks like my previous mail didn't make it to the list.
here it is again:
Hello,
If logging support is compiled in, the daemon segfaults in the lookup of:
CommandsText[header.command]
The attached patch verifies if the received data acutally is a valid
command.
regards,
Martin
Index: winscard_msg.h
===================================================================
--- winscard_msg.h (revision 4962)
+++ winscard_msg.h (working copy)
@@ -77,12 +77,17 @@
CMD_WAIT_READER_STATE_CHANGE = 0x13, /**< wait for a reader state change */
CMD_STOP_WAITING_READER_STATE_CHANGE = 0x14 /**< stop waiting for a reader state change */
};
+ /** this marks the last command in the enum above. It cannt be part
+ of the enum itsself because the the protocal/CMDs
+ cannot be extended. */
+ #define CMD_ENUM_LAST CMD_STOP_WAITING_READER_STATE_CHANGE
Index: winscard_svc.c
===================================================================
--- winscard_svc.c (revision 4962)
+++ winscard_svc.c (working copy)
@@ -282,6 +282,14 @@
Log4(SCARD_S_SUCCESS == v.rv ? PCSC_LOG_DEBUG : PCSC_LOG_ERROR, "%s rv=0x%X for client %d", command, v.rv, filedes); \
ret = MessageSend(&v, sizeof(v), filedes);
+static int verify_rxheader(struct rxHeader* header) {
+ if ((header->command == 0) || (header->command > CMD_ENUM_LAST)) {
+ return -1;
+ }
+ // the command->size is verified in READ_BODY
+ return 0;
+}
+
static void ContextThread(LPVOID newContext)
{
SCONTEXT * threadContext = (SCONTEXT *) newContext;
@@ -302,7 +310,10 @@
EHTryToUnregisterClientForEvent(filedes);
goto exit;
}
-
+ if (verify_rxheader(&header) != 0) {
+ Log1(PCSC_LOG_ERROR, "received header invalid");
+ continue;
+ }
Log3(PCSC_LOG_DEBUG, "Received command: %s from client %d",
CommandsText[header.command], filedes);
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
