[git] GnuPG - branch, master, updated. gnupg-2.1.0-44-g8445ef2

by Werner Koch cvs at cvs.gnupg.org
Tue Nov 25 12:47:06 CET 2014 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".

The branch, master has been updated
       via  8445ef24fc31e1fe0291e17f90f9f06b536e34da (commit)
      from  28dafd4714a9b01d3a6f1e6e5919bf6f909987c7 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 8445ef24fc31e1fe0291e17f90f9f06b536e34da
Author: Werner Koch <wk at gnupg.org>
Date:   Tue Nov 25 11:58:56 2014 +0100

    Fix buffer overflow in openpgp_oid_to_str.
    
    * common/openpgp-oid.c (openpgp_oid_to_str): Fix unsigned underflow.
    
    * common/t-openpgp-oid.c (BADOID): New.
    (test_openpgp_oid_to_str): Add test cases.
    --
    
    The code has an obvious error by not considering invalid encoding for
    arc-2.  A first byte of 0x80 can be used to make a value of less then
    80 and we then subtract 80 from that value as required by the OID
    encoding rules.  Due to the unsigned integer this results in a pretty
    long value which won't fit anymore into the allocated buffer.
    
    The fix is obvious.  Also added a few simple test cases.  Note that we
    keep on using sprintf instead of snprintf because managing the
    remaining length of the buffer would probably be more error prone than
    assuring that the buffer is large enough.  Getting rid of sprintf
    altogether by using direct conversion along with membuf_t like code
    might be possible.
    
    Reported-by: Hanno Böck
    Signed-off-by: Werner Koch <wk at gnupg.org>
    
    Ported from libksba commit f715b9e156dfa99ae829fc694e5a0abd23ef97d7

diff --git a/common/openpgp-oid.c b/common/openpgp-oid.c
index 010c23f..d3d1f2a 100644
--- a/common/openpgp-oid.c
+++ b/common/openpgp-oid.c
@@ -236,6 +236,8 @@ openpgp_oid_to_str (gcry_mpi_t a)
         val <<= 7;
         val |= buf[n] & 0x7f;
       }
+    if (val < 80)
+      goto badoid;
     val -= 80;
     sprintf (p, "2.%lu", val);
     p += strlen (p);
diff --git a/common/t-openpgp-oid.c b/common/t-openpgp-oid.c
index 79e5a70..5cd778d 100644
--- a/common/t-openpgp-oid.c
+++ b/common/t-openpgp-oid.c
@@ -32,6 +32,9 @@
   } while(0)
 
 
+#define BADOID "1.3.6.1.4.1.11591.2.12242973"
+
+
 static void
 test_openpgp_oid_from_str (void)
 {
@@ -108,6 +111,12 @@ test_openpgp_oid_to_str (void)
     { "1.3.132.0.35",
       { 5, 0x2B, 0x81, 0x04, 0x00, 0x23 }},
 
+    { BADOID,
+      { 9, 0x80, 0x02, 0x70, 0x50, 0x25, 0x46, 0xfd, 0x0c, 0xc0 }},
+
+    { BADOID,
+      { 1, 0x80 }},
+
     { NULL }};
   gcry_mpi_t a;
   int idx;

-----------------------------------------------------------------------

Summary of changes:
 common/openpgp-oid.c   |    2 ++
 common/t-openpgp-oid.c |    9 +++++++++
 2 files changed, 11 insertions(+)


hooks/post-receive
-- 
The GNU Privacy Guard
http://git.gnupg.org

More information about the Gnupg-commits mailing list