diff options
| author | Werner Koch <[email protected]> | 2015-10-01 11:21:25 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2015-10-02 08:58:40 +0000 |
| commit | ddf9dd135acd2b3635bb986f6dfc0e4e446d5fad (patch) | |
| tree | fc5e83d666ed95c6d2132c2d30bcada72a9ce575 /agent/command-ssh.c | |
| parent | gpg: Fix a practical hang after use of --faked-system-time. (diff) | |
| download | gnupg-ddf9dd135acd2b3635bb986f6dfc0e4e446d5fad.tar.gz gnupg-ddf9dd135acd2b3635bb986f6dfc0e4e446d5fad.zip | |
agent: Fix alignment problem with the second passphrase struct.
* agent/genkey.c (agent_ask_new_passphrase): Use a separate malloc for
PI2. Check return value of the malloc function.
* agent/command-ssh.c (ssh_identity_register): Use a separate malloc
for PI2. Wipe PI2.
--
For whatever stupid reasons I once allocated only one memory area and
split that into PI and PI2. This is actually a common pattern with
malloc but here we used a made up object size and do not take the
extra alignment required into account. One of these not yet hit by
a (sig)bus PC/VAX hacker bugs.
Instead of trying to fix the alignment, it is better to use a second
calloc for the second struct.
GnuPG-bug-id: 2112
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'agent/command-ssh.c')
| -rw-r--r-- | agent/command-ssh.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/agent/command-ssh.c b/agent/command-ssh.c index 8be125503..0aa0098f2 100644 --- a/agent/command-ssh.c +++ b/agent/command-ssh.c @@ -3070,7 +3070,8 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec, char *comment = NULL; char *key_fpr = NULL; const char *initial_errtext = NULL; - struct pin_entry_info_s *pi = NULL, *pi2; + struct pin_entry_info_s *pi = NULL; + struct pin_entry_info_s *pi2 = NULL; err = ssh_key_grip (key, key_grip_raw); if (err) @@ -3101,13 +3102,18 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec, goto out; } - pi = gcry_calloc_secure (2, sizeof (*pi) + MAX_PASSPHRASE_LEN + 1); + pi = gcry_calloc_secure (1, sizeof (*pi) + MAX_PASSPHRASE_LEN + 1); if (!pi) { err = gpg_error_from_syserror (); goto out; } - pi2 = pi + (sizeof *pi + MAX_PASSPHRASE_LEN + 1); + pi2 = gcry_calloc_secure (1, sizeof (*pi2) + MAX_PASSPHRASE_LEN + 1); + if (!pi2) + { + err = gpg_error_from_syserror (); + goto out; + } pi->max_length = MAX_PASSPHRASE_LEN + 1; pi->max_tries = 1; pi->with_repeat = 1; @@ -3155,6 +3161,9 @@ ssh_identity_register (ctrl_t ctrl, ssh_key_type_spec_t *spec, out: + if (pi2 && pi2->max_length) + wipememory (pi2->pin, pi2->max_length); + xfree (pi2); if (pi && pi->max_length) wipememory (pi->pin, pi->max_length); xfree (pi); |