[Dailydave] GnuPG 1.4.4 fun

Troy Bollinger troy at austin.ibm.com
Tue Jul 25 02:49:53 CEST 2006 

Quoting Evgeny Legerov (research at gleg.net):
> Another GnuPG bug:
> 
> $ perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'| /var/gnupg/bin/gpg --no-armor
> gpg: /home/ggg/.gnupg/options:82: deprecated option "honor-http-proxy"
> gpg: please use "keyserver-options http-proxy" instead
> 
> gpg: Segmentation fault caught ... exiting
> Segmentation fault
> 

Hi,
The above testcase was posted to the dailydave mailing list a few days
ago.  The diff below stops the segmentation fault, although I'm not
certain that it's the _correct_ way to fix it.

I think there are similar problems with xmalloc() arguments in:

   parse_gpg_control
   create_gpg_control
   parse_plaintext

Troy

---------------------------------

$ diff -r -c gnupg-1.4.4 gnupg-1.4.4.new/
diff -r -c gnupg-1.4.4/g10/packet.h gnupg-1.4.4.new/g10/packet.h
*** gnupg-1.4.4/g10/packet.h    Thu Mar  9 06:12:02 2006
--- gnupg-1.4.4.new/g10/packet.h        Mon Jul 24 18:51:11 2006
***************
*** 302,309 ****
  
  
  typedef struct {
!     int  len;           /* length of data */
!     char data[1];
  } PKT_comment;
  
  typedef struct {
--- 302,309 ----
  
  
  typedef struct {
!     unsigned int  len;                  /* length of data */
!     byte data[1];
  } PKT_comment;
  
  typedef struct {
diff -r -c gnupg-1.4.4/g10/parse-packet.c gnupg-1.4.4.new/g10/parse-packet.c
*** gnupg-1.4.4/g10/parse-packet.c      Sun Jun 25 05:58:40 2006
--- gnupg-1.4.4.new/g10/parse-packet.c  Mon Jul 24 19:17:04 2006
***************
*** 2087,2101 ****
  parse_comment( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *packet )
  {
      byte *p;
  
!     packet->pkt.comment = xmalloc(sizeof *packet->pkt.comment + pktlen - 1);
      packet->pkt.comment->len = pktlen;
      p = packet->pkt.comment->data;
      for( ; pktlen; pktlen--, p++ )
        *p = iobuf_get_noeof(inp);
  
      if( list_mode ) {
!       int n = packet->pkt.comment->len;
        fprintf (listfp, ":%scomment packet: \"", pkttype == PKT_OLD_COMMENT?
                                         "OpenPGP draft " : "" );
        for(p=packet->pkt.comment->data; n; p++, n-- ) {
--- 2087,2106 ----
  parse_comment( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *packet )
  {
      byte *p;
+     size_t sz = sizeof *packet->pkt.comment + pktlen - 1;
  
!     if (sz < pktlen) {
!       log_error("packet(%d) too big (%lu)\n", pkttype, (ulong)pktlen);
!       g10_exit (126);
!     }
!     packet->pkt.comment = xmalloc(sz);
      packet->pkt.comment->len = pktlen;
      p = packet->pkt.comment->data;
      for( ; pktlen; pktlen--, p++ )
        *p = iobuf_get_noeof(inp);
  
      if( list_mode ) {
!       size_t n = packet->pkt.comment->len;
        fprintf (listfp, ":%scomment packet: \"", pkttype == PKT_OLD_COMMENT?
                                         "OpenPGP draft " : "" );
        for(p=packet->pkt.comment->data; n; p++, n-- ) {

-- 
Troy Bollinger <troy at austin.ibm.com>
Network Security Analyst
PGP keyid: 1024/0xB7783129
Troy's opinions are not IBM policy

More information about the Gnupg-devel mailing list