diff options
| -rw-r--r-- | g10/ChangeLog | 5 | ||||
| -rw-r--r-- | g10/parse-packet.c | 22 |
2 files changed, 24 insertions, 3 deletions
diff --git a/g10/ChangeLog b/g10/ChangeLog index 44f7dbccb..e9632bb77 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,8 @@ +2007-02-04 Werner Koch <[email protected]> + + * parse-packet.c (parse_signature): Limit bytes read for an + unknown alogorithm. Fixes Debian bug#402592. + 2007-02-01 David Shaw <[email protected]> * main.h, keygen.c (ask_expire_interval, parse_expire_string): diff --git a/g10/parse-packet.c b/g10/parse-packet.c index ed4db4335..639115252 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -38,6 +38,11 @@ #include "main.h" #include "i18n.h" +#ifndef MAX_EXTERN_MPI_BITS +#define MAX_EXTERN_MPI_BITS 16384 +#endif + + static int mpi_print_mode; static int list_mode; static FILE *listfp; @@ -1437,10 +1442,21 @@ parse_signature( IOBUF inp, int pkttype, unsigned long pktlen, if( list_mode ) fprintf (listfp, "\tunknown algorithm %d\n", sig->pubkey_algo ); unknown_pubkey_warning( sig->pubkey_algo ); - /* we store the plain material in data[0], so that we are able + /* We store the plain material in data[0], so that we are able * to write it back with build_packet() */ - sig->data[0]= mpi_set_opaque(NULL, read_rest(inp, pktlen, 0), pktlen ); - pktlen = 0; + if (pktlen > (5 * MAX_EXTERN_MPI_BITS/8)) + { + /* However we include a limit to avoid too trivial DoS + attacks by having gpg allocate too much memory. */ + log_error ("signature packet: too much data\n"); + rc = G10ERR_INVALID_PACKET; + } + else + { + sig->data[0]= mpi_set_opaque (NULL, read_rest(inp, pktlen, 0), + pktlen ); + pktlen = 0; + } } else { for( i=0; i < ndata; i++ ) { |