dexter has uploaded this change for review. (
https://gerrit.osmocom.org/c/android-apdu-proxy/+/41803?usp=email )
Change subject: OmapiCallbackHandlerVpcd: fix extration of DF-Name (AID)
......................................................................
OmapiCallbackHandlerVpcd: fix extration of DF-Name (AID)
When the DF-Name (AID) is extracted from the SELECT TPDU, the length
of the TPDU is not checked properly, which may lead to an exception
in case no DF-Name (AID) is supplied. Let's put proper length checks
in place to filter corner cases and to ensure that the DF-Name (AID)
is properly extracted in case it is supplied.
Related: OS#6836
Change-Id: Idf08d752d046e012680c872552960cc069272777
---
M app/src/main/java/org/osmocom/androidApduProxy/OmapiCallbackHandlerVpcd.java
1 file changed, 24 insertions(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/android-apdu-proxy
refs/changes/03/41803/1
diff --git
a/app/src/main/java/org/osmocom/androidApduProxy/OmapiCallbackHandlerVpcd.java
b/app/src/main/java/org/osmocom/androidApduProxy/OmapiCallbackHandlerVpcd.java
index 57c5035..8f1d8c7 100644
---
a/app/src/main/java/org/osmocom/androidApduProxy/OmapiCallbackHandlerVpcd.java
+++
b/app/src/main/java/org/osmocom/androidApduProxy/OmapiCallbackHandlerVpcd.java
@@ -117,8 +117,31 @@
//AID is different, we close the OMAPI channel and re-open it
with the new AID. If this fails, we
//we just pretend that we haven't found the file.
if (Arrays.equals(Arrays.copyOf(tpdu, 3),
Utils.h2b("00A404"))) {
- byte[] aidReq = Arrays.copyOfRange(tpdu, 5, tpdu.length -
1);
int compareLength = 0;
+
+ //Make sure that the Lc field of the TPDU does not exceed
the TPDU length
+ if (tpdu[4] > tpdu.length - 5) {
+ Log.e("PROXY", String.format("SELECT by DF-Name with
invalid length field, rejecting TPDU (%s)...\n",
+ Utils.b2h(tpdu)));
+ //see also ISO/IEC 7816-4, table 5 (wrong length; no
further indication)
+ return (Utils.h2b("6700"));
+ }
+
+ //Extract the DF-Name (AID) from the TPDU.
+ byte[] aidReq;
+ if (tpdu[4] > 0) {
+ //The DF-Name (AID) does not have to represent a full
AID, a shortened (right truncated) AID
+ //is sufficient (see also ETSI TS 102 221, section
11.1.1.2).
+ aidReq = Arrays.copyOfRange(tpdu, 5, tpdu[4] + 5);
+ } else {
+ //ETSI TS 102 221, section 11.1.1.2 vaguely indicates
that the DF-Name (AID) may also be
+ //left out entirely. GlobalPlatform Card Specification
2.1.1, section 9.9.2.3 is more
+ //concrete. According to GlobalPlatform, the ISD shall
be selected in case no DF-Name is
+ //supplied. This is also coherent to Open Mobile API
Specification – Public Review
+ //v3.2.0.13, section 4.2.7.8.
+ aidReq = new byte[0];
+ }
+
if (omapiAid != null) {
if (aidReq.length < omapiAid.length)
compareLength = aidReq.length;
--
To view, visit https://gerrit.osmocom.org/c/android-apdu-proxy/+/41803?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: android-apdu-proxy
Gerrit-Branch: master
Gerrit-Change-Id: Idf08d752d046e012680c872552960cc069272777
Gerrit-Change-Number: 41803
Gerrit-PatchSet: 1
Gerrit-Owner: dexter <[email protected]>
