From 3a154eaea9ddb287034e5326c615df17c64b3228 Mon Sep 17 00:00:00 2001
From: Markus Armbruster <armbru@redhat.com>
Date: Wed, 11 Jan 2012 17:22:32 +0100
Subject: [PATCH 7/7] ccid: Fix buffer overrun in handling of VSC_ATR message

RH-Author: Markus Armbruster <armbru@redhat.com>
Message-id: <1326302552-27770-2-git-send-email-armbru@redhat.com>
Patchwork-id: 36458
O-Subject: [RHEL-6.3 PATCH qemu-kvm 1/1] ccid: Fix buffer overrun in handling of VSC_ATR message
Bugzilla: 752003
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Petr Matousek <pmatouse@redhat.com>
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Acked-by: Alon Levy <alevy@redhat.com>

ATR size exceeding the limit is diagnosed, but then we merrily use it
anyway, overrunning card->atr[].

The message is read from a character device.  Obvious security
implications unless the other end of the character device is trusted.

Spotted by Coverity.  CVE-2011-4111.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a)
---
 hw/ccid-card-passthru.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

Signed-off-by: Michal Novotny <minovotn@redhat.com>
---
 hw/ccid-card-passthru.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
index cad870e..d713026 100644
--- a/hw/ccid-card-passthru.c
+++ b/hw/ccid-card-passthru.c
@@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card,
             error_report("ATR size exceeds spec, ignoring");
             ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
                                         VSC_GENERAL_ERROR);
+            break;
         }
         memcpy(card->atr, data, scr_msg_header->length);
         card->atr_length = scr_msg_header->length;
-- 
1.7.7.5