libccid IFDHControl() / CmdEscape() might truncate reader response

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

libccid IFDHControl() / CmdEscape() might truncate reader response

Stein, Maximilian
Hello again,

one thing I've noticed while analysing the SCardControl() code is, that
the libccid IFD handler might silently truncate the reader response, if
the RxBuffer is not large enough. In fact it is the CmdEscape() function
that does this. But it is used, amongst others, by IFDHControl() in some
cases (see commands.c:1008):

    /* copy the response */
    length_out = dw2i(cmd_out, 1);
    if (length_out > *RxLength)
        length_out = *RxLength;
    *RxLength = length_out;
    memcpy(RxBuffer, &cmd_out[10], length_out);

While other control calls for the reader (e.g. PIN handling) in
IFDHControl() are handled via CCID_Transmit/CCID_Receive which does
(commands.c:1567):

    length = dw2i(cmd, 1);
    if (length <= *rx_length)
            *rx_length = length;
    else
    {
            DEBUG_CRITICAL2("overrun by %d bytes", length - *rx_length);
            length = *rx_length;
            return_value = IFD_ERROR_INSUFFICIENT_BUFFER;
    }
[...]
        memcpy(rx_buffer, cmd+10, length);

Is this intended? If so, the behaviour of IFDHControl() is inconsistent
regarding the handling of too small return buffers depending on which
control code is used. Another question is, if it is intended that the
truncated response is delivered to the client together with the
INSUFFICIENT_BUFFER error. The code in CCID_Receive looks a bit like it...


Kind regards
Maximilian Stein

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle
Reply | Threaded
Open this post in threaded view
|

Re: libccid IFDHControl() / CmdEscape() might truncate reader response

Ludovic Rousseau
2017-02-17 20:34 GMT+01:00 Maximilian Stein <[hidden email]>:
Hello again,

Hello,
 

one thing I've noticed while analysing the SCardControl() code is, that
the libccid IFD handler might silently truncate the reader response, if
the RxBuffer is not large enough. In fact it is the CmdEscape() function
that does this. But it is used, amongst others, by IFDHControl() in some
cases (see commands.c:1008):

    /* copy the response */
    length_out = dw2i(cmd_out, 1);
    if (length_out > *RxLength)
        length_out = *RxLength;
    *RxLength = length_out;
    memcpy(RxBuffer, &cmd_out[10], length_out);

While other control calls for the reader (e.g. PIN handling) in
IFDHControl() are handled via CCID_Transmit/CCID_Receive which does
(commands.c:1567):

    length = dw2i(cmd, 1);
    if (length <= *rx_length)
            *rx_length = length;
    else
    {
            DEBUG_CRITICAL2("overrun by %d bytes", length - *rx_length);
            length = *rx_length;
            return_value = IFD_ERROR_INSUFFICIENT_BUFFER;
    }
[...]
        memcpy(rx_buffer, cmd+10, length);

Is this intended? If so, the behaviour of IFDHControl() is inconsistent
regarding the handling of too small return buffers depending on which
control code is used. Another question is, if it is intended that the
truncated response is delivered to the client together with the
INSUFFICIENT_BUFFER error. The code in CCID_Receive looks a bit like it...

You are right.
Now IFD_ERROR_INSUFFICIENT_BUFFER is returned. The truncation is no more silent.

Thanks

--
 Dr. Ludovic Rousseau

_______________________________________________
Pcsclite-muscle mailing list
[hidden email]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle