diff options
Diffstat (limited to 'g10/parse-packet.c')
| -rw-r--r-- | g10/parse-packet.c | 50 |
1 files changed, 43 insertions, 7 deletions
diff --git a/g10/parse-packet.c b/g10/parse-packet.c index 862ec6e7f..8d4450cdd 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -1747,6 +1747,12 @@ parse_key( IOBUF inp, int pkttype, unsigned long pktlen, byte temp[16]; size_t snlen = 0; + if (pktlen < 1) + { + rc = G10ERR_INVALID_PACKET; + goto leave; + } + if( !npkey ) { sk->skey[0] = mpi_set_opaque( NULL, read_rest(inp, pktlen, 0), pktlen ); @@ -1755,7 +1761,9 @@ parse_key( IOBUF inp, int pkttype, unsigned long pktlen, } for(i=0; i < npkey; i++ ) { - n = pktlen; sk->skey[i] = mpi_read(inp, &n, 0 ); pktlen -=n; + n = pktlen; + sk->skey[i] = mpi_read(inp, &n, 0 ); + pktlen -=n; if( list_mode ) { fprintf (listfp, "\tskey[%d]: ", i); mpi_print(listfp, sk->skey[i], mpi_print_mode ); @@ -1769,7 +1777,8 @@ parse_key( IOBUF inp, int pkttype, unsigned long pktlen, if (list_mode && npkey) keyid_from_sk (sk, keyid); - sk->protect.algo = iobuf_get_noeof(inp); pktlen--; + sk->protect.algo = iobuf_get_noeof(inp); + pktlen--; sk->protect.sha1chk = 0; if( sk->protect.algo ) { sk->is_protected = 1; @@ -1780,12 +1789,15 @@ parse_key( IOBUF inp, int pkttype, unsigned long pktlen, goto leave; } sk->protect.sha1chk = (sk->protect.algo == 254); - sk->protect.algo = iobuf_get_noeof(inp); pktlen--; + sk->protect.algo = iobuf_get_noeof(inp); + pktlen--; /* Note that a sk->protect.algo > 110 is illegal, but I'm not erroring on it here as otherwise there would be no way to delete such a key. */ - sk->protect.s2k.mode = iobuf_get_noeof(inp); pktlen--; - sk->protect.s2k.hash_algo = iobuf_get_noeof(inp); pktlen--; + sk->protect.s2k.mode = iobuf_get_noeof(inp); + pktlen--; + sk->protect.s2k.hash_algo = iobuf_get_noeof(inp); + pktlen--; /* check for the special GNU extension */ if( is_v4 && sk->protect.s2k.mode == 101 ) { for(i=0; i < 4 && pktlen; i++, pktlen-- ) @@ -1940,6 +1952,11 @@ parse_key( IOBUF inp, int pkttype, unsigned long pktlen, /* ugly; the length is encrypted too, so we read all * stuff up to the end of the packet into the first * skey element */ + if (pktlen < 2) /* At least two bytes for the length. */ + { + rc = G10ERR_INVALID_PACKET; + goto leave; + } sk->skey[npkey] = mpi_set_opaque(NULL, read_rest(inp, pktlen, 0),pktlen); pktlen = 0; @@ -1955,6 +1972,11 @@ parse_key( IOBUF inp, int pkttype, unsigned long pktlen, fprintf (listfp, "\tskey[%d]: [encrypted]\n", i); } else { + if (pktlen < 2) /* At least two bytes for the length. */ + { + rc = G10ERR_INVALID_PACKET; + goto leave; + } n = pktlen; sk->skey[i] = mpi_read(inp, &n, 0 ); pktlen -=n; @@ -1971,7 +1993,13 @@ parse_key( IOBUF inp, int pkttype, unsigned long pktlen, if (rc) goto leave; - sk->csum = read_16(inp); pktlen -= 2; + if (pktlen < 2) + { + rc = G10ERR_INVALID_PACKET; + goto leave; + } + sk->csum = read_16(inp); + pktlen -= 2; if( list_mode ) { fprintf (listfp, "\tchecksum: %04hx\n", sk->csum); } @@ -1980,6 +2008,12 @@ parse_key( IOBUF inp, int pkttype, unsigned long pktlen, else { PKT_public_key *pk = pkt->pkt.public_key; + if (pktlen < 1) + { + rc = G10ERR_INVALID_PACKET; + goto leave; + } + if( !npkey ) { pk->pkey[0] = mpi_set_opaque( NULL, read_rest(inp, pktlen, 0), pktlen ); @@ -1988,7 +2022,9 @@ parse_key( IOBUF inp, int pkttype, unsigned long pktlen, } for(i=0; i < npkey; i++ ) { - n = pktlen; pk->pkey[i] = mpi_read(inp, &n, 0 ); pktlen -=n; + n = pktlen; + pk->pkey[i] = mpi_read(inp, &n, 0 ); + pktlen -=n; if( list_mode ) { fprintf (listfp, "\tpkey[%d]: ", i); mpi_print(listfp, pk->pkey[i], mpi_print_mode ); |