not sure the code is now 100% correct.
the old code looks wrong to me, it could have
let towards accessing a buffer beyond its length.
but: do we need to add some error handling for
the case that the len >apdu->rsplen?
or do we silently assume the apdu has either a buffer
big enough, or no buffer at all?
Regards, Andreas
Revision: 2912
Author: aj
Date: 2006-04-26 10:07:20 +0000 (Wed, 26 Apr 2006)
Log Message:
-----------
fix a memory leak.
don't access buffer beyond length.
Modified Paths:
--------------
trunk/src/libopensc/apdu.c
Modified: trunk/src/libopensc/apdu.c
===================================================================
--- trunk/src/libopensc/apdu.c 2006-04-26 10:07:18 UTC (rev 2911)
+++ trunk/src/libopensc/apdu.c 2006-04-26 10:07:20 UTC (rev 2912)
@@ -202,8 +202,10 @@
if (nbuf == NULL)
return SC_ERROR_MEMORY_FAILURE;
/* encode the APDU in the buffer */
- if (sc_apdu2bytes(ctx, apdu, proto, nbuf, nlen) != SC_SUCCESS)
+ if (sc_apdu2bytes(ctx, apdu, proto, nbuf, nlen) != SC_SUCCESS) {
+ free(nbuf);
return SC_ERROR_INTERNAL;
+ }
*buf = nbuf;
*len = nlen;
@@ -224,11 +226,10 @@
apdu->sw2 = (unsigned int)buf[len - 1];
len -= 2;
/* set output length and copy the returned data if necessary */
- if (len <= apdu->resplen)
+ if (apdu->resplen >= len) {
apdu->resplen = len;
-
- if (apdu->resplen != 0)
memcpy(apdu->resp, buf, apdu->resplen);
+ }
return SC_SUCCESS;
}
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
