Bug Report: Client DOS in g10 keyserver search

David Shaw dshaw at jabberwocky.com
Thu Apr 26 13:40:42 CEST 2007

On Thu, Apr 26, 2007 at 11:34:13AM +0200, Christoph M. Wintersteiger wrote:
> At least versions 1.4.4, 1.4.7 and 2.0.3 of GnuPG allow malicious
> keyservers to crash a client when searching for keys. The bug is due to
> an incorrect implementation of trailing whitespace removal from a
> keyservers response. 
> The bug can be found in g10/keyserver.c at 
> line 1410 (version 1.4.4)
> line 1415 (version 1.4.7)
> line 1424 (version 2.0.3),
> which reads
> plen[ptr]='\0';
> Obviously the two variables have been reversed and the line should be
> corrected to 
> ptr[plen]='\0'; 

Yes, this is incorrect, and I'll fix it.  It's a readability bug,
though, and not a code bug.  Were you able to actually get the client
to crash?  If so, I suspect it was for other reasons.  As Simon points
out, 'plen[ptr]' is identical to 'ptr[plen]' in C.



More information about the Gnupg-devel mailing list