diff options
| author | Werner Koch <[email protected]> | 2014-10-09 18:19:05 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2014-10-09 18:19:05 +0000 |
| commit | b6507bb80e4e4aa5c85a918fdcf5c28cccb75081 (patch) | |
| tree | 6892ed42e79aea6233da23439283079a02e9a279 /kbx/keybox-file.c | |
| parent | gpg: Take care to use pubring.kbx if it has ever been used. (diff) | |
| download | gnupg-b6507bb80e4e4aa5c85a918fdcf5c28cccb75081.tar.gz gnupg-b6507bb80e4e4aa5c85a918fdcf5c28cccb75081.zip | |
kbx: Fix handling of overlong keys.
* kbx/keybox-file.c (IMAGELEN_LIMIT): Change limit from 10^6 to 2MiB.
(_keybox_read_blob2): Skip too long record records.
(_keybox_write_blob): Do not accept too long record.
* kbx/keybox-dump.c (file_stats_s): Add field skipped_long_blobs.
(_keybox_dump_file): Print new counter.
(_keybox_dump_file): Skip too long records.
----
To test this feature you may set the limit back to 1MiB and use key
F7F0E70F307D56ED which is in my local copy close to 2MiB. Without
this patch it was possible to import the key but access to that key
and all keys stored after it was not possible.
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'kbx/keybox-file.c')
| -rw-r--r-- | kbx/keybox-file.c | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/kbx/keybox-file.c b/kbx/keybox-file.c index def896bca..1ed51696e 100644 --- a/kbx/keybox-file.c +++ b/kbx/keybox-file.c @@ -27,6 +27,9 @@ #include "keybox-defs.h" +#define IMAGELEN_LIMIT (2*1024*1024) + + #if !defined(HAVE_FTELLO) && !defined(ftello) static off_t ftello (FILE *stream) @@ -75,9 +78,6 @@ _keybox_read_blob2 (KEYBOXBLOB *r_blob, FILE *fp, int *skipped_deleted) } imagelen = (c1 << 24) | (c2 << 16) | (c3 << 8 ) | c4; - if (imagelen > 1000000) /* Sanity check. */ - return gpg_error (GPG_ERR_TOO_LARGE); - if (imagelen < 5) return gpg_error (GPG_ERR_TOO_SHORT); @@ -90,6 +90,15 @@ _keybox_read_blob2 (KEYBOXBLOB *r_blob, FILE *fp, int *skipped_deleted) goto again; } + if (imagelen > IMAGELEN_LIMIT) /* Sanity check. */ + { + /* Seek forward so that the caller may choose to ignore this + record. */ + if (fseek (fp, imagelen-5, SEEK_CUR)) + return gpg_error_from_syserror (); + return gpg_error (GPG_ERR_TOO_LARGE); + } + image = xtrymalloc (imagelen); if (!image) return gpg_error_from_syserror (); @@ -124,6 +133,10 @@ _keybox_write_blob (KEYBOXBLOB blob, FILE *fp) size_t length; image = _keybox_get_blob_image (blob, &length); + + if (length > IMAGELEN_LIMIT) + return gpg_error (GPG_ERR_TOO_LARGE); + if (fwrite (image, length, 1, fp) != 1) return gpg_error_from_syserror (); return 0; |