diff options
| author | Werner Koch <[email protected]> | 2014-11-24 16:28:25 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2014-11-24 16:28:25 +0000 |
| commit | 0988764397f99db4efef1eabcdb8072d6159af76 (patch) | |
| tree | 55764de2364c17baae8241d23ec6bd114f3c411e /g10/parse-packet.c | |
| parent | gpg: Fix batch generation of ECC keys. (diff) | |
| download | gnupg-0988764397f99db4efef1eabcdb8072d6159af76.tar.gz gnupg-0988764397f99db4efef1eabcdb8072d6159af76.zip | |
gpg: Fix off-by-one read in the attribute subpacket parser.
* g10/parse-packet.c (parse_attribute_subpkts): Check that the
attribute packet is large enough for the subpacket type.
--
Reported-by: Hanno Böck
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'g10/parse-packet.c')
| -rw-r--r-- | g10/parse-packet.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/g10/parse-packet.c b/g10/parse-packet.c index e0370aaaa..f75e21ccb 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -2359,8 +2359,16 @@ parse_attribute_subpkts (PKT_user_id * uid) if (buflen < n) goto too_short; - attribs = - xrealloc (attribs, (count + 1) * sizeof (struct user_attribute)); + if (!n) + { + /* Too short to encode the subpacket type. */ + if (opt.verbose) + log_info ("attribute subpacket too short\n"); + break; + } + + attribs = xrealloc (attribs, + (count + 1) * sizeof (struct user_attribute)); memset (&attribs[count], 0, sizeof (struct user_attribute)); type = *buffer; |