diff options
| -rw-r--r-- | g10/ChangeLog | 5 | ||||
| -rw-r--r-- | g10/parse-packet.c | 16 |
2 files changed, 18 insertions, 3 deletions
diff --git a/g10/ChangeLog b/g10/ChangeLog index 53f6b8528..7f9f0fcca 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,8 @@ +2007-02-04 Werner Koch <[email protected]> + + * parse-packet.c (parse_signature): Limit bytes read for an + unknown alogorithm. Fixes Debian bug#402592. + 2007-01-31 Werner Koch <[email protected]> * verify.c (verify_signatures): Do no dereference a NULL afx. diff --git a/g10/parse-packet.c b/g10/parse-packet.c index ae0cc2821..243523df6 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -1494,9 +1494,19 @@ parse_signature( IOBUF inp, int pkttype, unsigned long pktlen, unknown_pubkey_warning( sig->pubkey_algo ); /* We store the plain material in data[0], so that we are able * to write it back with build_packet() */ - sig->data[0]= gcry_mpi_set_opaque (NULL, read_rest(inp, pktlen, 0), - pktlen*8 ); - pktlen = 0; + if (pktlen > (5 * MAX_EXTERN_MPI_BITS/8)) + { + /* However we include a limit to avoid too trivial DoS + attacks by having gpg allocate too much memory. */ + log_error ("signature packet: too much data\n"); + rc = G10ERR_INVALID_PACKET; + } + else + { + sig->data[0]= gcry_mpi_set_opaque (NULL, read_rest(inp, pktlen, 0), + pktlen*8 ); + pktlen = 0; + } } else { for( i=0; i < ndata; i++ ) { |