diff options
| -rw-r--r-- | g10/parse-packet.c | 9 | ||||
| -rw-r--r-- | kbx/keybox-openpgp.c | 9 | ||||
| -rw-r--r-- | tests/openpgp/4gb-packet.asc | bin | 0 -> 4983 bytes | |||
| -rwxr-xr-x | tests/openpgp/4gb-packet.test | 16 | ||||
| -rw-r--r-- | tests/openpgp/Makefile.am | 4 |
5 files changed, 34 insertions, 4 deletions
diff --git a/g10/parse-packet.c b/g10/parse-packet.c index bc9965331..edebbe782 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -643,7 +643,14 @@ parse (IOBUF inp, PACKET * pkt, int onlykeypkts, off_t * retpos, } } - if (pktlen == (unsigned long) (-1)) + /* Sometimes the decompressing layer enters an error state in which + it simply outputs 0xff for every byte read. If we have a stream + of 0xff bytes, then it will be detected as a new format packet + with type 63 and a 4-byte encoded length that is 4G-1. Since + packets with type 63 are private and we use them as a control + packet, which won't be 4 GB, we reject such packets as + invalid. */ + if (pkttype == 63 && pktlen == 0xFFFFFFFF) { /* With some probability this is caused by a problem in the * the uncompressing layer - in some error cases it just loops diff --git a/kbx/keybox-openpgp.c b/kbx/keybox-openpgp.c index 2cac242e9..a5f602b7b 100644 --- a/kbx/keybox-openpgp.c +++ b/kbx/keybox-openpgp.c @@ -139,7 +139,14 @@ next_packet (unsigned char const **bufptr, size_t *buflen, return gpg_error (GPG_ERR_UNEXPECTED); } - if (pktlen == (unsigned long)(-1)) + if (pkttype == 63 && pktlen == 0xFFFFFFFF) + /* Sometimes the decompressing layer enters an error state in + which it simply outputs 0xff for every byte read. If we have a + stream of 0xff bytes, then it will be detected as a new format + packet with type 63 and a 4-byte encoded length that is 4G-1. + Since packets with type 63 are private and we use them as a + control packet, which won't be 4 GB, we reject such packets as + invalid. */ return gpg_error (GPG_ERR_INV_PACKET); if (pktlen > len) diff --git a/tests/openpgp/4gb-packet.asc b/tests/openpgp/4gb-packet.asc Binary files differnew file mode 100644 index 000000000..7e5d6f349 --- /dev/null +++ b/tests/openpgp/4gb-packet.asc diff --git a/tests/openpgp/4gb-packet.test b/tests/openpgp/4gb-packet.test new file mode 100755 index 000000000..f8e43c80b --- /dev/null +++ b/tests/openpgp/4gb-packet.test @@ -0,0 +1,16 @@ +#!/bin/sh + +. $srcdir/defs.inc || exit 3 + +# GnuPG through 2.1.7 would incorrect mark packets whose size is +# 2^32-1 as invalid and exit with status code 2. +i=$srcdir/4gb-packet.asc + +if ! $GPG --list-packets $i +then + echo Failed to parse 4GB packet. + exit 1 +else + echo Can parse 4GB packets. + exit 0 +fi diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am index dae8c1141..4fdb0a607 100644 --- a/tests/openpgp/Makefile.am +++ b/tests/openpgp/Makefile.am @@ -38,7 +38,7 @@ TESTS = version.test mds.test \ armdetachm.test detachm.test genkey1024.test \ conventional.test conventional-mdc.test \ multisig.test verify.test armor.test \ - import.test ecc.test finish.test + import.test ecc.test 4gb-packet.test finish.test TEST_FILES = pubring.asc secring.asc plain-1o.asc plain-2o.asc plain-3o.asc \ @@ -46,7 +46,7 @@ TEST_FILES = pubring.asc secring.asc plain-1o.asc plain-2o.asc plain-3o.asc \ pubring.pkr.asc secring.skr.asc secdemo.asc pubdemo.asc \ gpg.conf.tmpl gpg-agent.conf.tmpl \ bug537-test.data.asc bug894-test.asc \ - bug1223-good.asc bug1223-bogus.asc + bug1223-good.asc bug1223-bogus.asc 4gb-packet.asc data_files = data-500 data-9000 data-32000 data-80000 plain-large |