Bug Report: Client DOS in g10 keyserver search
David Shaw
dshaw at jabberwocky.com
Thu Apr 26 13:40:42 CEST 2007
On Thu, Apr 26, 2007 at 11:34:13AM +0200, Christoph M. Wintersteiger wrote:
>
> At least versions 1.4.4, 1.4.7 and 2.0.3 of GnuPG allow malicious
> keyservers to crash a client when searching for keys. The bug is due to
> an incorrect implementation of trailing whitespace removal from a
> keyservers response.
>
> The bug can be found in g10/keyserver.c at
> line 1410 (version 1.4.4)
> line 1415 (version 1.4.7)
> line 1424 (version 2.0.3),
> which reads
> plen[ptr]='\0';
>
> Obviously the two variables have been reversed and the line should be
> corrected to
> ptr[plen]='\0';
Yes, this is incorrect, and I'll fix it. It's a readability bug,
though, and not a code bug. Were you able to actually get the client
to crash? If so, I suspect it was for other reasons. As Simon points
out, 'plen[ptr]' is identical to 'ptr[plen]' in C.
http://c-faq.com/aryptr/joke.html
David
More information about the Gnupg-devel
mailing list