iso7816.c: Check length of file_ref to prevent buffer overrun

xhanulik · Jakuje · commit 6923b97d59f8 · 2024-05-31T15:37:40.000+02:00
diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c
@@ -1003,7 +1003,7 @@ iso7816_set_security_env(struct sc_card *card,
 		*p++ = env->algorithm_ref & 0xFF;
 	}
 	if (env->flags & SC_SEC_ENV_FILE_REF_PRESENT) {
-		if (env->file_ref.len > 0xFF)
+		if (env->file_ref.len > SC_MAX_PATH_SIZE)
 			return SC_ERROR_INVALID_ARGUMENTS;
 		if (sizeof(sbuf) - (p - sbuf) < env->file_ref.len + 2)
 			return SC_ERROR_OFFSET_TOO_LARGE;

Original file line number	Diff line number	Diff line change
`@@ -1003,7 +1003,7 @@ iso7816_set_security_env(struct sc_card *card,`
`1003`	`1003`	`*p++ = env->algorithm_ref & 0xFF;`
`1004`	`1004`	`}`
`1005`	`1005`	`if (env->flags & SC_SEC_ENV_FILE_REF_PRESENT) {`
`1006`		`- if (env->file_ref.len > 0xFF)`
	`1006`	`+ if (env->file_ref.len > SC_MAX_PATH_SIZE)`
`1007`	`1007`	`return SC_ERROR_INVALID_ARGUMENTS;`
`1008`	`1008`	`if (sizeof(sbuf) - (p - sbuf) < env->file_ref.len + 2)`
`1009`	`1009`	`return SC_ERROR_OFFSET_TOO_LARGE;`