diff options
| author | Werner Koch <[email protected]> | 2022-04-25 13:21:05 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2022-04-25 13:21:05 +0000 |
| commit | f6caf5b17366efa93f806f22e7441eb27f4d382c (patch) | |
| tree | 2a7e7082865ea1ad0a37eb5aae91d62b38f52217 /g10/parse-packet.c | |
| parent | sm: Use gpg_err_code() instead of -1 (diff) | |
| download | gnupg-f6caf5b17366efa93f806f22e7441eb27f4d382c.tar.gz gnupg-f6caf5b17366efa93f806f22e7441eb27f4d382c.zip | |
gpg: Avoid NULL ptr access due to corrupted packets.
* g10/parse-packet.c (parse_signature): Do not create an opaque MPI
with NULL and length > 0
(parse_key): Ditto.
--
GnuPG-bug-id: 5940, 5946
Diffstat (limited to 'g10/parse-packet.c')
| -rw-r--r-- | g10/parse-packet.c | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/g10/parse-packet.c b/g10/parse-packet.c index bb05eabb7..cea1f7ebc 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -2351,8 +2351,10 @@ parse_signature (IOBUF inp, int pkttype, unsigned long pktlen, } else { - sig->data[0] = - gcry_mpi_set_opaque (NULL, read_rest (inp, pktlen), pktlen * 8); + void *tmpp; + + tmpp = read_rest (inp, pktlen); + sig->data[0] = gcry_mpi_set_opaque (NULL, tmpp, tmpp? pktlen * 8 : 0); pktlen = 0; } } @@ -2580,8 +2582,10 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, if (!npkey) { /* Unknown algorithm - put data into an opaque MPI. */ - pk->pkey[0] = gcry_mpi_set_opaque (NULL, - read_rest (inp, pktlen), pktlen * 8); + void *tmpp = read_rest (inp, pktlen); + /* Current gcry_mpi_cmp does not handle a (NULL,n>0) nicely and + * thus we avoid to create such an MPI. */ + pk->pkey[0] = gcry_mpi_set_opaque (NULL, tmpp, tmpp? pktlen * 8 : 0); pktlen = 0; goto leave; } @@ -2883,6 +2887,8 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, } else if (ski->is_protected) { + void *tmpp; + if (pktlen < 2) /* At least two bytes for the length. */ { err = gpg_error (GPG_ERR_INV_PACKET); @@ -2893,9 +2899,10 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, * up to the end of the packet into the first SKEY * element. * FIXME: We can do better for v5 keys. */ + + tmpp = read_rest (inp, pktlen); pk->pkey[npkey] = gcry_mpi_set_opaque (NULL, - read_rest (inp, pktlen), - pktlen * 8); + tmpp, tmpp? pktlen * 8 : 0); /* Mark that MPI as protected - we need this information for * importing a key. The OPAQUE flag can't be used because * we also store public EdDSA values in opaque MPIs. */ |