diff options
| author | Werner Koch <[email protected]> | 2005-05-21 14:04:32 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2005-05-21 14:04:32 +0000 |
| commit | be2aa37dbf0da2c953143c328a1aed4bf210cc87 (patch) | |
| tree | c4b207b7cd1bfca613d0e52a4ddd6c9b41d3c8e0 /mpi/mpicoder.c | |
| parent | (ccid_transceive): Arghhh. The seqno is another (diff) | |
| download | gnupg-be2aa37dbf0da2c953143c328a1aed4bf210cc87.tar.gz gnupg-be2aa37dbf0da2c953143c328a1aed4bf210cc87.zip | |
* cardglue.c (send_status_info): Make CTRL optional.
(agent_scd_writekey, inq_writekey_parms): New.
(agent_openpgp_storekey): Removed.
* cardglue.h: Add a few more error code mappings.
* keygen.c (copy_mpi): Removed.
(save_unprotected_key_to_card): Changed to use agent_scd_writekey.
* app-common.h, app-openpgp.c, tlv.c, tlv.h: Updated from newer
version in gnupg 1.9 CVS.
Diffstat (limited to 'mpi/mpicoder.c')
| -rw-r--r-- | mpi/mpicoder.c | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/mpi/mpicoder.c b/mpi/mpicoder.c index 4d4e45553..ab913861d 100644 --- a/mpi/mpicoder.c +++ b/mpi/mpicoder.c @@ -1,5 +1,5 @@ /* mpicoder.c - Coder for the external representation of MPIs - * Copyright (C) 1998, 1999 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -74,20 +74,23 @@ mpi_read(IOBUF inp, unsigned *ret_nread, int secure) #endif { int c, i, j; + unsigned int nmax = *ret_nread; unsigned nbits, nbytes, nlimbs, nread=0; mpi_limb_t a; MPI val = MPI_NULL; if( (c = iobuf_get(inp)) == -1 ) goto leave; - nread++; + if (++nread >= nmax) + goto overflow; nbits = c << 8; if( (c = iobuf_get(inp)) == -1 ) goto leave; - nread++; + if (++nread >= nmax) + goto overflow; nbits |= c; if( nbits > MAX_EXTERN_MPI_BITS ) { - log_error("mpi too large (%u bits)\n", nbits); + log_error("mpi too large for this implementation (%u bits)\n", nbits); goto leave; } @@ -108,6 +111,15 @@ mpi_read(IOBUF inp, unsigned *ret_nread, int secure) for( ; j > 0; j-- ) { a = 0; for(; i < BYTES_PER_MPI_LIMB; i++ ) { + if (nread >= nmax) { +#ifdef M_DEBUG + mpi_debug_free (val); +#else + mpi_free (val); +#endif + val = NULL; + goto overflow; + } a <<= 8; a |= iobuf_get(inp) & 0xff; nread++; } @@ -116,10 +128,11 @@ mpi_read(IOBUF inp, unsigned *ret_nread, int secure) } leave: - if( nread > *ret_nread ) - log_bug("mpi crosses packet border\n"); - else - *ret_nread = nread; + *ret_nread = nread; + return val; + overflow: + log_error ("mpi larger than indicated length (%u bytes)\n", nmax); + *ret_nread = nread; return val; } |