SEGFAULT;(

Remi Guyomarch rguyom at mail.dotcom.fr
Mon Jan 31 23:37:23 CET 2000 

On Mon, Jan 31, 2000 at 01:50:22AM +0100, Remi Guyomarch wrote:
> On Mon, Jan 31, 2000 at 12:45:34AM +0100, Jan-Benedict Glaw wrote:
> > Hi!
> > 
> > Found a little bug in g10/keyedit.c... Tested version is 1.0.1, but keyedit.c
> > has neither changed in 1.0.1a nor in 1.1.0 (okay, it has changed, but not
> > at the relevant part;).
> [...]
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x8080543 in menu_expire (pub_keyblock=0x80cd860, sec_keyblock=0x80d0280) at keyedit.c:1490
> > 1490                    if( (mainkey && main_pk->version < 4)
> > 
> > ================== 8< ------------------------------------------
> > 
> > main_pk seems to be a pointer to nirwana so main_pk->version kills gpg...
> 
> main_pk is ok, but sub_pk is null. Here's the code :
> 
> 		signumber++;
> 
> 		if( (mainkey && main_pk->version < 4)
> 		    || (!mainkey && sub_pk->version < 4 ) ) {
> 		    log_info(_(
> 			"You can't change the expiration date of a v3 key\n"));
> 
> (keyedit.c:1502 in 1.0.1c)

Ok, here's a patch :

Index: keyedit.c
===================================================================
RCS file: /home/koch/cvs/gnupg/g10/keyedit.c,v
retrieving revision 1.58.2.2
diff -u -u -r1.58.2.2 keyedit.c
--- keyedit.c   2000/01/14 17:25:59     1.58.2.2
+++ keyedit.c   2000/01/31 22:31:42
@@ -1486,7 +1486,8 @@
        }
        else if( node->pkt->pkttype == PKT_USER_ID )
            uid = node->pkt->pkt.user_id;
-       else if( main_pk && node->pkt->pkttype == PKT_SIGNATURE ) {
+       else if( main_pk && node->pkt->pkttype == PKT_SIGNATURE
+                && sub_pk != NULL) {
            PKT_signature *sig = node->pkt->pkt.signature;
            if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1]
                && (    (mainkey && uid && (sig->sig_class&~3) == 0x10)
@@ -1550,6 +1551,7 @@
                    m_free( sn->pkt );
                    sn->pkt = newpkt;
                }
+               sub_pk = NULL;
            }
        }
     }

Explanations :

This routine see packets comming in this order (for a key with two
subkeys) :

:public key packet:
:user ID packet:
:signature packet:
	(DSA key self-signature)
:public sub key packet:
:signature packet:
	(first subkey signature)
:public sub key packet:
:signature packet:
	(second subkey signature)

When the second subkey is selected, menu_expire() try to change the
first subkey signature, but it doesn't have an handle to the first
subkey packet (sub_pk), because this node isn't flagged 
[&& (node->flag & NODFLG_SELKEY )].
If the code didn't tested node->flag, it would apply the expire change
on all subkeys.

I didn't see a way to link a signature to the subkey it signing (ie 
a way to do node->pkt->pkt.signature->subkey_signed == sub_pk), so the
patch isn't very nice, but it works :)

More information about the Gnupg-devel mailing list