[PATCH] fix agent/findkey.c

NIIBE Yutaka gniibe at fsij.org
Wed Oct 31 08:09:06 CET 2012


While I tested gpg-agent for 2.0 stable branch, it
segfaulted when I did:

  $ gpg-connect-agent "READKEY 9277C5875C8AFFCB727661C18BE4E0A0DEED9260" /bye

The keygrip 9277C5875C8AFFCB727661C18BE4E0A0DEED9260 was created by
"monkeysphere s", which has a comment.

It segfaluted in libgcrypt.  So, I read the code of
libgcrypt/src/sexp.c and I realized that the caller should offer
pointer to the argument.

Here is the fix (assuming libgcrypt is correct).  Compiled and tested
for 2.0 stable branch.  Exactly same bug exists on the master branch,
too.

diff --git a/agent/findkey.c b/agent/findkey.c
index 800db88..550e403 100644
--- a/agent/findkey.c
+++ b/agent/findkey.c
@@ -824,15 +824,15 @@ agent_public_key_from_file (ctrl_t ctrl,
     {
       p = stpcpy (p, "(uri %b)");
       assert (argidx+1 < DIM (args));
-      args[argidx++] = (void *)uri_length;
-      args[argidx++] = (void *)uri;
+      args[argidx++] = (void *)&uri_length;
+      args[argidx++] = (void *)&uri;
     }
   if (comment)
     {
       p = stpcpy (p, "(comment %b)");
       assert (argidx+1 < DIM (args));
-      args[argidx++] = (void *)comment_length;
-      args[argidx++] = (void*)comment;
+      args[argidx++] = (void *)&comment_length;
+      args[argidx++] = (void*)&comment;
     }
   *p++ = ')';
   *p = 0;

-- 





More information about the Gnupg-devel mailing list