gpg: Do not allow creation of user ids larger than our parser allows.

* g10/parse-packet.c: Move max packet lengths constants to ...
* g10/packet.h: ... here.
* g10/build-packet.c (do_user_id): Return an error if too data is too
large.
* g10/keygen.c (write_uid): Return an error for too large data.
--

This can lead to keyring corruption becuase we expect that our parser
is abale to parse packts created by us.  Test case is

  gpg --batch --passphrase 'abc' -v  \
      --quick-gen-key $(yes 'a'| head -4000|tr -d '\n')

GnuPG-bug-id: 4532
Signed-off-by: Werner Koch <[email protected]>

1 files changed, 7 insertions, 1 deletions

diff --git a/g10/build-packet.c b/g10/build-packet.c
index b83ea84a5..14e40a1bf 100644
--- a/g10/build-packet.c
+++ b/g10/build-packet.c
@@ -424,15 +424,21 @@ do_user_id( IOBUF out, int ctb, PKT_user_id *uid )
    * Without forcing HDRLEN to 2 in this case an indeterminate length
    * packet would be written which is not allowed.  Note that we are
    * always called with a CTB indicating an old packet header format,
-   * so that forcing a 2 octet header works.  */
+   * so that forcing a 2 octet header works.  We also check for the
+   * maximum allowed packet size by the parser using an arbitrary
+   * extra 10 bytes for header data. */
   if (uid->attrib_data)
     {
+      if (uid->attrib_len > MAX_ATTR_PACKET_LENGTH - 10)
+        return gpg_error (GPG_ERR_TOO_LARGE);
       hdrlen = uid->attrib_len? 0 : 2;
       write_header2 (out, ctb, uid->attrib_len, hdrlen);
       rc = iobuf_write( out, uid->attrib_data, uid->attrib_len );
     }
   else
     {
+      if (uid->len > MAX_UID_PACKET_LENGTH - 10)
+        return gpg_error (GPG_ERR_TOO_LARGE);
       hdrlen = uid->len? 0 : 2;
       write_header2 (out, ctb, uid->len, hdrlen);
       rc = iobuf_write( out, uid->name, uid->len );