[PATCH] gpg: Fix segv due to NULL value stored as opaque MPI (BRANCH 2.0)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jun 2 16:16:31 CEST 2015


Hi GnuPG folks--

I believe the patch below still needs to be applied to the 2.0 branch.

Regards,

        --dkg

On Sat 2015-02-21 18:23:44 -0500, Daniel Kahn Gillmor wrote:
> * g10/build-packet.c (do_secret_key): Check for NULL return from
> gcry_mpi_get_opaque.
> * g10/keyid.c (hash_public_key): Ditto.
> --
>
> This is a backport of 76c8122adfed0f0f443cce7bda702ba2b39661b3 from
> master to the STABLE-BRANCH-2-0
>
> On the STABLE-BRANCH-2-0, we may also want to patch g10/seckey-cert.c,
> but that has not been done in this patch.
>
> This fix extends commmit 0835d2f44ef62eab51fce6a927908f544e01cf8f.
>
>   gpg2 --export --no-default-keyring --keyring TESTDATA
>
> With TESTDATA being below after unpacking.
>
> -----BEGIN PGP ARMORED FILE-----
>
> mBMEhdkMmS8BcX8F//8F5voEhQAQmBMEnAAAZwAAo4D/f/8EhQAAAIAEnP8EhQAQ
> iBMEnP8AAAAABf8jIID///8EhQYQmBMEnIUAEIgTBKT/AAAAAAUAACCA/f//BIUA
> EJgTBJx/AP8ABPPzBJx/AP8ABPPz
> =2yE0
> -----END PGP ARMORED FILE-----
>
> Reported-by: Jodie Cunningham
> Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
> ---
>  g10/build-packet.c |  6 ++++--
>  g10/keyid.c        | 16 ++++++++++------
>  2 files changed, 14 insertions(+), 8 deletions(-)
>
> diff --git a/g10/build-packet.c b/g10/build-packet.c
> index e986987..5cc03cf 100644
> --- a/g10/build-packet.c
> +++ b/g10/build-packet.c
> @@ -398,7 +398,8 @@ do_secret_key( IOBUF out, int ctb, PKT_secret_key *sk )
>  
>        assert (gcry_mpi_get_flag (sk->skey[npkey], GCRYMPI_FLAG_OPAQUE));
>        p = gcry_mpi_get_opaque (sk->skey[npkey], &ndatabits );
> -      iobuf_write (a, p, (ndatabits+7)/8 );
> +      if (p)
> +        iobuf_write (a, p, (ndatabits+7)/8 );
>      }
>    else if ( sk->is_protected )
>      {
> @@ -410,7 +411,8 @@ do_secret_key( IOBUF out, int ctb, PKT_secret_key *sk )
>  
>            assert (gcry_mpi_get_flag (sk->skey[i], GCRYMPI_FLAG_OPAQUE));
>            p = gcry_mpi_get_opaque (sk->skey[i], &ndatabits);
> -          iobuf_write (a, p, (ndatabits+7)/8);
> +          if (p)
> +            iobuf_write (a, p, (ndatabits+7)/8);
>          }
>        write_16(a, sk->csum );
>      }
> diff --git a/g10/keyid.c b/g10/keyid.c
> index 6af0f48..ef6ee1c 100644
> --- a/g10/keyid.c
> +++ b/g10/keyid.c
> @@ -115,14 +115,18 @@ hash_public_key( gcry_md_hd_t md, PKT_public_key *pk )
>    if(npkey==0 && pk->pkey[0]
>       && gcry_mpi_get_flag (pk->pkey[0], GCRYMPI_FLAG_OPAQUE))
>      {
> -      gcry_md_write (md, pp[0], nn[0]);
> +      if (pp[0])
> +        gcry_md_write (md, pp[0], nn[0]);
>      }
>    else
> -    for(i=0; i < npkey; i++ )
> -      {
> -	gcry_md_write ( md, pp[i], nn[i] );
> -	xfree(pp[i]);
> -      }
> +    {
> +      for(i=0; i < npkey; i++ )
> +        {
> +          if (pp[i])
> +            gcry_md_write ( md, pp[i], nn[i] );
> +          xfree(pp[i]);
> +        }
> +    }
>  }
>  
>  static gcry_md_hd_t
> -- 
> 2.1.4
>
>
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20150602/a52e3d71/attachment.sig>


More information about the Gnupg-devel mailing list