diff options
| author | Werner Koch <[email protected]> | 2014-11-24 18:12:37 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2014-11-24 18:27:20 +0000 |
| commit | 7a068ac50bc48de26e93cfeadf412b37257f97d5 (patch) | |
| tree | 74ebafd044788079225078b4d6ee97b990f857c2 | |
| parent | gpg: Fix a NULL-deref for invalid input data. (diff) | |
| download | gnupg-7a068ac50bc48de26e93cfeadf412b37257f97d5.tar.gz gnupg-7a068ac50bc48de26e93cfeadf412b37257f97d5.zip | |
gpg: Fix off-by-one read in the attribute subpacket parser.
* g10/parse-packet.c (parse_attribute_subpkts): Check that the
attribute packet is large enough for the subpacket type.
--
Reported-by: Hanno Böck
Signed-off-by: Werner Koch <[email protected]>
(backported from commit 0988764397f99db4efef1eabcdb8072d6159af76)
| -rw-r--r-- | g10/parse-packet.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/g10/parse-packet.c b/g10/parse-packet.c index f1d7f7131..99ff7b7b1 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -2102,6 +2102,14 @@ parse_attribute_subpkts(PKT_user_id *uid) if( buflen < n ) goto too_short; + if (!n) + { + /* Too short to encode the subpacket type. */ + if (opt.verbose) + log_info ("attribute subpacket too short\n"); + break; + } + attribs=xrealloc(attribs,(count+1)*sizeof(struct user_attribute)); memset(&attribs[count],0,sizeof(struct user_attribute)); |