[svn] GnuPG - r4425 - branches/STABLE-BRANCH-1-4/g10

svn author wk cvs at cvs.gnupg.org
Sun Feb 4 18:20:25 CET 2007 

Author: wk
Date: 2007-02-04 18:20:24 +0100 (Sun, 04 Feb 2007)
New Revision: 4425

Modified:
   branches/STABLE-BRANCH-1-4/g10/ChangeLog
   branches/STABLE-BRANCH-1-4/g10/parse-packet.c
Log:
Fix for Debian bug 402592


Modified: branches/STABLE-BRANCH-1-4/g10/ChangeLog
===================================================================
--- branches/STABLE-BRANCH-1-4/g10/ChangeLog	2007-02-01 20:51:15 UTC (rev 4424)
+++ branches/STABLE-BRANCH-1-4/g10/ChangeLog	2007-02-04 17:20:24 UTC (rev 4425)
@@ -1,3 +1,8 @@
+2007-02-04  Werner Koch  <wk at g10code.com>
+
+	* parse-packet.c (parse_signature): Limit bytes read for an
+	unknown alogorithm.  Fixes Debian bug#402592.
+
 2007-02-01  David Shaw  <dshaw at jabberwocky.com>
 
 	* main.h, keygen.c (ask_expire_interval, parse_expire_string):

Modified: branches/STABLE-BRANCH-1-4/g10/parse-packet.c
===================================================================
--- branches/STABLE-BRANCH-1-4/g10/parse-packet.c	2007-02-01 20:51:15 UTC (rev 4424)
+++ branches/STABLE-BRANCH-1-4/g10/parse-packet.c	2007-02-04 17:20:24 UTC (rev 4425)
@@ -38,6 +38,11 @@
 #include "main.h"
 #include "i18n.h"
 
+#ifndef MAX_EXTERN_MPI_BITS
+#define MAX_EXTERN_MPI_BITS 16384
+#endif
+
+
 static int mpi_print_mode;
 static int list_mode;
 static FILE *listfp;
@@ -1437,10 +1442,21 @@
 	if( list_mode )
 	    fprintf (listfp, "\tunknown algorithm %d\n", sig->pubkey_algo );
 	unknown_pubkey_warning( sig->pubkey_algo );
-	/* we store the plain material in data[0], so that we are able
+	/* We store the plain material in data[0], so that we are able
 	 * to write it back with build_packet() */
-	sig->data[0]= mpi_set_opaque(NULL, read_rest(inp, pktlen, 0), pktlen );
-	pktlen = 0;
+        if (pktlen > (5 * MAX_EXTERN_MPI_BITS/8))
+          {
+            /* However we include a limit to avoid too trivial DoS
+               attacks by having gpg allocate too much memory.  */
+	    log_error ("signature packet: too much data\n");
+	    rc = G10ERR_INVALID_PACKET;
+          }
+        else
+          {
+            sig->data[0]= mpi_set_opaque (NULL, read_rest(inp, pktlen, 0),
+                                          pktlen );
+            pktlen = 0;
+          }
     }
     else {
 	for( i=0; i < ndata; i++ ) {

More information about the Gnupg-commits mailing list