Fix a few potential panics.

author Steinar H. Gunderson <sgunderson@bigfoot.com>

Sat, 14 Nov 2020 13:00:17 +0000 (14:00 +0100)

committer Steinar H. Gunderson <sgunderson@bigfoot.com>

Sat, 14 Nov 2020 13:00:17 +0000 (14:00 +0100)
author Steinar H. Gunderson <sgunderson@bigfoot.com>
Sat, 14 Nov 2020 13:00:17 +0000 (14:00 +0100)
committer Steinar H. Gunderson <sgunderson@bigfoot.com>
Sat, 14 Nov 2020 13:00:17 +0000 (14:00 +0100)
diff --git a/multipass.rs b/multipass.rs

index 958d18955d3aacaca3279f8481097420587db52e..d3187aa283b07c407df9373f93878fda8b94f235 100644 (file)
--- a/multipass.rs
+++ b/multipass.rs
@@ -251,7 +251,7 @@ fn get_readers() -> Result<hyper::Body, Box<dyn std::error::Error>>
  }
  
  fn transmit_apdu(card: &Card, mut apdu: &[u8]) -> Result<String, Box<dyn std::error::Error>> {
-        if apdu[0] == 0xff && apdu[1] == 0xff && apdu[2] == 0x01 && apdu[3] == 0x04 {
+        if apdu.len() >= 11 && apdu[0] == 0xff && apdu[1] == 0xff && apdu[2] == 0x01 && apdu[3] == 0x04 {
              // APDUs with PIN codes are obfuscated (see /getref/ above)
              // with a special extension header used only in scproxy. The format seems to be:
              //
@@ -305,7 +305,7 @@ fn apdureq(reader_name: &str, req: String) -> Result<hyper::Body, Box<dyn std::e
          let apdus = get_apducommands(req.clone())?;
         let mut any_sensitive = false;
         for apdu in &apdus {
-               if apdu[0] == 0xff && apdu[1] == 0xff {
+               if apdu.len() >= 2 && apdu[0] == 0xff && apdu[1] == 0xff {
                         any_sensitive = true;
                 }
         }
author	Steinar H. Gunderson <sgunderson@bigfoot.com>
	Sat, 14 Nov 2020 13:00:17 +0000 (14:00 +0100)
committer	Steinar H. Gunderson <sgunderson@bigfoot.com>
	Sat, 14 Nov 2020 13:00:17 +0000 (14:00 +0100)