[Opensc-devel] Preventing malformed ODFs causing segfaults.

[Dirk-Willem v. G. <di...@we...>]

We seem to be a bit trusting of the cruft which can be on a card; found I needed below to stop naughty cards
from causing segfaults (and hence locking subsequent users out of their desktops (a bit of fragility outside OpenSC)).

Just wondering - is this sort of thing common (and should I scan most of the code for this) — or have i found a rare case ?

Dw.

https://github.com/OpenSC/OpenSC/commit/1061b5ded0edbc6a1f2cb4fd599b7c950ffe18ff

src/libopensc/dir.c
@@ -149,6 +149,10 @@ int sc_enum_apps(sc_card_t *card)
 	r = sc_select_file(card, &path, &card->ef_dir);
 	LOG_TEST_RET(ctx, r, "Cannot select EF.DIR file");
 
+	if (card->ef_dir == NULL) {
+		LOG_TEST_RET(ctx, SC_ERROR_INVALID_CARD, "EF(DIR) nonexistant.");
+	}
+
 	if (card->ef_dir->type != SC_FILE_TYPE_WORKING_EF) {
 		sc_file_free(card->ef_dir);
 		card->ef_dir = NULL;

src/libopensc/pkcs15.c
@@ -1044,6 +1044,10 @@ sc_pkcs15_bind_internal(struct sc_pkcs15_card *p15card, struct sc_aid *aid)
 			sc_log(ctx, "Cannot make absolute path to EF(ODF); error:%i", err);
 			goto end;
 		}
+		if (p15card->file_odf == NULL) {
+			sc_log(ctx, "After making absolute path to EF(ODF) still no odf.");
+			goto end;
+		}
 		sc_log(ctx, "absolute path to EF(ODF) %s", sc_print_path(&tmppath));
 		err = sc_select_file(card, &tmppath, &p15card->file_odf);
 	}
@@ -1059,6 +1063,8 @@ sc_pkcs15_bind_internal(struct sc_pkcs15_card *p15card, struct sc_aid *aid)
 		goto end;
 	}
 
+	assert(p15card->file_odf);
+
 	len = p15card->file_odf->size;
 	if (!len) {
 		sc_log(ctx, "EF(ODF) is empty”);