From f16b618755e653feb6a332f8bc168ce51e8da27b Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Wed, 24 Feb 2016 22:18:46 +0100 Subject: [PATCH] card_emu: Fix the length checks for transmit beyond rctx->tot_len --- firmware/src_simtrace/card_emu.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/firmware/src_simtrace/card_emu.c b/firmware/src_simtrace/card_emu.c index 43b7e93a..54805e3c 100644 --- a/firmware/src_simtrace/card_emu.c +++ b/firmware/src_simtrace/card_emu.c @@ -582,9 +582,21 @@ static int tx_byte_tpdu(struct card_handle *ch) card_emu_uart_tx(ch->uart_chan, byte); + /* this must happen _after_ the byte has been transmittd */ + switch (ch->tpdu.state) { + case TPDU_S_WAIT_PB: + /* if we just transmitted the procedure byte, we need to decide + * if we want to continue to receive or transmit */ + if (td->flags & CEMU_DATA_F_PB_AND_TX) + set_tpdu_state(ch, TPDU_S_WAIT_TX); + else if (td->flags & CEMU_DATA_F_PB_AND_RX) + set_tpdu_state(ch, TPDU_S_WAIT_RX); + break; + } + /* check if the buffer has now been fully transmitted */ if ((rctx->idx >= td->hdr.data_len) || - (rctx->idx + sizeof(*td) - sizeof(td->hdr) >= rctx->tot_len)) { + (td->data + rctx->idx >= rctx->data + rctx->tot_len)) { if (td->flags & CEMU_DATA_F_PB_AND_RX) { /* we have just sent the procedure byte and now * need to continue receiving */ @@ -605,16 +617,6 @@ static int tx_byte_tpdu(struct card_handle *ch) ch->uart_tx_ctx = NULL; } - /* this must happen _after_ the byte has been transmittd */ - switch (ch->tpdu.state) { - case TPDU_S_WAIT_PB: - if (td->flags & CEMU_DATA_F_PB_AND_TX) - set_tpdu_state(ch, TPDU_S_WAIT_TX); - else if (td->flags & CEMU_DATA_F_PB_AND_RX) - set_tpdu_state(ch, TPDU_S_WAIT_RX); - break; - } - return 1; }