diff options
| author | Werner Koch <[email protected]> | 2019-05-21 14:25:56 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2019-05-21 14:25:56 +0000 |
| commit | 156788a43c20e38cd52f4f725395aff2c72142ff (patch) | |
| tree | d5a2f0a0b9eb9971b5d19105f647ea224a16b120 /g10/keygen.c | |
| parent | gpg: Unify the the use of the print_pubkey_info functions. (diff) | |
| download | gnupg-156788a43c20e38cd52f4f725395aff2c72142ff.tar.gz gnupg-156788a43c20e38cd52f4f725395aff2c72142ff.zip | |
gpg: Do not allow creation of user ids larger than our parser allows.
* g10/parse-packet.c: Move max packet lengths constants to ...
* g10/packet.h: ... here.
* g10/build-packet.c (do_user_id): Return an error if too data is too
large.
* g10/keygen.c (write_uid): Return an error for too large data.
--
This can lead to keyring corruption becuase we expect that our parser
is abale to parse packts created by us. Test case is
gpg --batch --passphrase 'abc' -v \
--quick-gen-key $(yes 'a'| head -4000|tr -d '\n')
GnuPG-bug-id: 4532
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'g10/keygen.c')
| -rw-r--r-- | g10/keygen.c | 33 |
1 files changed, 19 insertions, 14 deletions
diff --git a/g10/keygen.c b/g10/keygen.c index ac6bcc890..d9037d29d 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -227,18 +227,22 @@ print_status_key_not_created (const char *handle) -static void -write_uid( KBNODE root, const char *s ) +static gpg_error_t +write_uid (kbnode_t root, const char *s) { - PACKET *pkt = xmalloc_clear(sizeof *pkt ); - size_t n = strlen(s); + PACKET *pkt = xmalloc_clear (sizeof *pkt); + size_t n = strlen (s); - pkt->pkttype = PKT_USER_ID; - pkt->pkt.user_id = xmalloc_clear (sizeof *pkt->pkt.user_id + n); - pkt->pkt.user_id->len = n; - pkt->pkt.user_id->ref = 1; - strcpy(pkt->pkt.user_id->name, s); - add_kbnode( root, new_kbnode( pkt ) ); + if (n > MAX_UID_PACKET_LENGTH - 10) + return gpg_error (GPG_ERR_INV_USER_ID); + + pkt->pkttype = PKT_USER_ID; + pkt->pkt.user_id = xmalloc_clear (sizeof *pkt->pkt.user_id + n); + pkt->pkt.user_id->len = n; + pkt->pkt.user_id->ref = 1; + strcpy (pkt->pkt.user_id->name, s); + add_kbnode (root, new_kbnode (pkt)); + return 0; } static void @@ -5092,10 +5096,11 @@ do_generate_keypair (ctrl_t ctrl, struct para_data_s *para, if (!err && (s = get_parameter_value (para, pUSERID))) { - write_uid (pub_root, s ); - err = write_selfsigs (ctrl, pub_root, pri_psk, - get_parameter_uint (para, pKEYUSAGE), timestamp, - cache_nonce); + err = write_uid (pub_root, s ); + if (!err) + err = write_selfsigs (ctrl, pub_root, pri_psk, + get_parameter_uint (para, pKEYUSAGE), timestamp, + cache_nonce); } /* Write the auth key to the card before the encryption key. This |