[Pkg-gnupg-maint] Bug#773507: explicit buffer overrun
NIIBE Yutaka
gniibe at fsij.org
Wed Jan 7 06:54:34 CET 2015
Hello,
Thanks for your reviewing and reporting. This message is Cc-ed to
gnupg-devel.
On 12/19/2014 07:24 PM, Joshua Rogers wrote:
> Package: gnupg2
> Version: 2.1.1
> Severity: normal
>
> in dirmngr/ldap.c on line 617, argv may be overflowed.
>
> 617: argv[argc++] = url;
>
> a check is made on line 591 that checks to see whether argv is less than or email to 399, and if it does, exit.
> But argv is char *argv[50], while argc is a normal int.
> If argc is 398, it will pass that check.
Right.
Here's my fix. I'm going to apply this change since it's obvious
simple fix and there will be no conflict.
diff --git a/dirmngr/ldap.c b/dirmngr/ldap.c
index 478fdfd..00df167 100644
--- a/dirmngr/ldap.c
+++ b/dirmngr/ldap.c
@@ -588,7 +588,7 @@ start_cert_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *context,
strlist_t sl;
char *url;
- if (argc >= sizeof argv -1)
+ if (argc >= DIM (argv) - 1)
{
/* Too many patterns. It does not make sense to allow an
arbitrary number of patters because the length of the
--
More information about the Gnupg-devel
mailing list