On Thu, 11 Oct 2018 23:32:49 +0200 Hilko Bengen <ben...@debian.org> wrote:
> Hi,
>
> after some digging and testing, I come to the conclusion that the the
> immediate cause for the breakage I reported is the change made to the
> piv_general_io() function (src/libopensc/card-piv.c, expanded for
> context): Because rbuflen is set to zero, sc_asn1_read_tag will never
> read/parse an ASN.1 tag.
>
> Reverting this single change seems to fix my problems, however this
> leaves the clear possibility for overflowing receive buffers that are
> passed into the function, this has so far only worked by accident...
>
> Cheers,
> -Hilko
>
> @@ -525,15 +525,16 @@ static int piv_general_io(sc_card_t *card, int ins, int
> p1, int p2,
> rbuflen = 0; /* in case rseplen < 3 i.e. not parseable */
> if ( recvbuflen && recvbuf && apdu.resplen > 3) {
> *recvbuflen = 0;
> /* we should have all the tag data, so we have to tell
> sc_asn1_find_tag
> * the buffer is bigger, so it will not produce "ASN1.tag too
> long!" */
>
> body = rbuf;
> - if (sc_asn1_read_tag(&body, 0xffff, &cla_out, &tag_out,
> &bodylen) != SC_SUCCESS) {
> + if (sc_asn1_read_tag(&body, rbuflen, &cla_out, &tag_out,
> &bodylen) != SC_SUCCESS
> + || body == NULL) {
> /* only early beta cards had this problem */
> sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "*****
> received buffer tag MISSING ");
> body = rbuf;
> /* some readers/cards might return 6c 00 */
> if (apdu.sw1 == 0x61 || apdu.sw2 == 0x6c )
> bodylen = 12000;
> else
>
I see this code changed a lot in 0.19... is this still a problem?
G.
>
