[svn] GnuPG - r4157 - trunk/g10

svn author dshaw cvs at cvs.gnupg.org
Fri Jun 9 21:45:21 CEST 2006 

Author: dshaw
Date: 2006-06-09 21:45:19 +0200 (Fri, 09 Jun 2006)
New Revision: 4157

Modified:
   trunk/g10/ChangeLog
   trunk/g10/parse-packet.c
Log:
* parse-packet.c (parse_user_id): Cap the user ID size at 2048 bytes.  
This prevents a memory allocation attack with a very large user ID.  A
very large packet length could even cause the allocation (a u32) to wrap
around to a small number.  Noted by Evgeny Legerov on full-disclosure.


Modified: trunk/g10/ChangeLog
===================================================================
--- trunk/g10/ChangeLog	2006-06-09 11:32:22 UTC (rev 4156)
+++ trunk/g10/ChangeLog	2006-06-09 19:45:19 UTC (rev 4157)
@@ -1,3 +1,11 @@
+2006-06-09  David Shaw  <dshaw at jabberwocky.com>
+
+	* parse-packet.c (parse_user_id): Cap the user ID size at 2048
+	bytes.  This prevents a memory allocation attack with a very large
+	user ID.  A very large packet length could even cause the
+	allocation (a u32) to wrap around to a small number.  Noted by
+	Evgeny Legerov on full-disclosure.
+
 2006-05-25  David Shaw  <dshaw at jabberwocky.com>
 
 	* keygen.c (gen_dsa): Allow generating DSA2 keys

Modified: trunk/g10/parse-packet.c
===================================================================
--- trunk/g10/parse-packet.c	2006-06-09 11:32:22 UTC (rev 4156)
+++ trunk/g10/parse-packet.c	2006-06-09 19:45:19 UTC (rev 4157)
@@ -1982,6 +1982,20 @@
 {
     byte *p;
 
+    /* Cap the size of a user ID at 2k: a value absurdly large enough
+       that there is no sane user ID string (which is printable text
+       as of RFC2440bis) that won't fit in it, but yet small enough to
+       avoid allocation problems.  A large pktlen may not be
+       allocatable, and a very large pktlen could actually cause our
+       allocation to wrap around in xmalloc to a small number. */
+
+    if(pktlen>2048)
+      {
+	log_error("packet(%d) too large\n", pkttype);
+	iobuf_skip_rest(inp, pktlen, 0);
+	return G10ERR_INVALID_PACKET;
+      }
+
     packet->pkt.user_id = xmalloc_clear(sizeof *packet->pkt.user_id + pktlen);
     packet->pkt.user_id->len = pktlen;
     packet->pkt.user_id->ref=1;

More information about the Gnupg-commits mailing list