From 960f5e26f2cda3ac6e6b30548fa808a690c39ffc Mon Sep 17 00:00:00 2001
From: "Neal H. Walfield" <neal@g10code.com>
Date: Thu, 25 Feb 2016 21:20:32 +0100
Subject: gpg: More carefully encode a packet's length.

* g10/build-packet.c (write_header2): Make sure the length bits are
cleared.  Fail if HDRLEN is set and the specified length can't be
encoded in the available space.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
---
 g10/build-packet.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'g10/build-packet.c')

diff --git a/g10/build-packet.c b/g10/build-packet.c
index fe6234f10..feb7b44cd 100644
--- a/g10/build-packet.c
+++ b/g10/build-packet.c
@@ -1450,6 +1450,10 @@ write_header2( IOBUF out, int ctb, u32 len, int hdrlen )
   /* An old format packet.  Refer to RFC 4880, Section 4.2.1 to
      understand how lengths are encoded in this case.  */
 
+  /* The length encoding is stored in the two least significant bits.
+     Make sure they are cleared.  */
+  log_assert ((ctb & 3) == 0);
+
   log_assert (hdrlen == 0 || hdrlen == 2 || hdrlen == 3 || hdrlen == 5);
 
   if (hdrlen)
@@ -1462,10 +1466,13 @@ write_header2( IOBUF out, int ctb, u32 len, int hdrlen )
         /* 01 => 2 byte length.  If len < 256, this is not the most
            compact encoding, but it is a correct encoding.  */
 	ctb |= 1;
-      else
+      else if (hdrlen == 5)
         /* 10 => 4 byte length.  If len < 65536, this is not the most
            compact encoding, but it is a correct encoding.  */
 	ctb |= 2;
+      else
+        log_bug ("Can't encode length=%d in a %d byte header!\n",
+                 len, hdrlen);
     }
   else
     {
-- 
cgit v1.2.3