From 0835d2f44ef62eab51fce6a927908f544e01cf8f Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 9 Feb 2015 10:54:06 +0100 Subject: gpg: Fix a NULL-deref in export due to invalid packet lengths. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * g10/build-packet.c (write_fake_data): Take care of a NULL stored as opaque MPI. -- Reported-by: Hanno Böck Test data: gpg2 --no-default-keyring --keyring FILE --export With this unpacked data for FILE: -----BEGIN PGP ARMORED FILE----- Version: GnuPG v2 Comment: Use "gpg --dearmor" for unpacking mI0EGRkZGRkZGRkZGRkZGRkBGRkZGRkZGRkZGRkZGQAZGRkZGRkZGRkZGRkZGRkZ GRkZInzgDbpa/9gQ4wq9////f3Vy81CkyVq3HQaqgZLZOeqPjM7XgGh5hJvAkpec 9wAAAgDHe0FVFbkppJZXP+gFs6z3gobS0qUFeyTtxs+wAgAD =JDFT -----END PGP ARMORED FILE----- Signed-off-by: Werner Koch --- g10/build-packet.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/g10/build-packet.c b/g10/build-packet.c index 6bd1c9b0d..cda753ca1 100644 --- a/g10/build-packet.c +++ b/g10/build-packet.c @@ -261,6 +261,9 @@ write_fake_data (IOBUF out, gcry_mpi_t a) if (!a) return 0; p = gcry_mpi_get_opaque ( a, &n); + if (!p) + return 0; /* For example due to a read error in + parse-packet.c:read_rest. */ return iobuf_write (out, p, (n+7)/8 ); } @@ -305,9 +308,9 @@ do_key (iobuf_t out, int ctb, PKT_public_key *pk) nskey = pubkey_get_nskey (pk->pubkey_algo); npkey = pubkey_get_npkey (pk->pubkey_algo); - /* If we don't have any public parameters - which is the case if we - don't know the algorithm used - the parameters are stored as one - blob in a faked (opaque) MPI. */ + /* If we don't have any public parameters - which is for example the + case if we don't know the algorithm used - the parameters are + stored as one blob in a faked (opaque) MPI. */ if (!npkey) { write_fake_data (a, pk->pkey[0]); -- cgit v1.2.3