Mailing List Archive

Re: [Dailydave] GnuPG 1.4.4 fun
Quoting Evgeny Legerov (research@gleg.net):
> Another GnuPG bug:
>
> $ perl -e 'print "\xfd\xff\xff\xff\xff\xfe"'| /var/gnupg/bin/gpg --no-armor
> gpg: /home/ggg/.gnupg/options:82: deprecated option "honor-http-proxy"
> gpg: please use "keyserver-options http-proxy" instead
>
> gpg: Segmentation fault caught ... exiting
> Segmentation fault
>

Hi,
The above testcase was posted to the dailydave mailing list a few days
ago. The diff below stops the segmentation fault, although I'm not
certain that it's the _correct_ way to fix it.

I think there are similar problems with xmalloc() arguments in:

parse_gpg_control
create_gpg_control
parse_plaintext

Troy

---------------------------------

$ diff -r -c gnupg-1.4.4 gnupg-1.4.4.new/
diff -r -c gnupg-1.4.4/g10/packet.h gnupg-1.4.4.new/g10/packet.h
*** gnupg-1.4.4/g10/packet.h Thu Mar 9 06:12:02 2006
--- gnupg-1.4.4.new/g10/packet.h Mon Jul 24 18:51:11 2006
***************
*** 302,309 ****


typedef struct {
! int len; /* length of data */
! char data[1];
} PKT_comment;

typedef struct {
--- 302,309 ----


typedef struct {
! unsigned int len; /* length of data */
! byte data[1];
} PKT_comment;

typedef struct {
diff -r -c gnupg-1.4.4/g10/parse-packet.c gnupg-1.4.4.new/g10/parse-packet.c
*** gnupg-1.4.4/g10/parse-packet.c Sun Jun 25 05:58:40 2006
--- gnupg-1.4.4.new/g10/parse-packet.c Mon Jul 24 19:17:04 2006
***************
*** 2087,2101 ****
parse_comment( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *packet )
{
byte *p;

! packet->pkt.comment = xmalloc(sizeof *packet->pkt.comment + pktlen - 1);
packet->pkt.comment->len = pktlen;
p = packet->pkt.comment->data;
for( ; pktlen; pktlen--, p++ )
*p = iobuf_get_noeof(inp);

if( list_mode ) {
! int n = packet->pkt.comment->len;
fprintf (listfp, ":%scomment packet: \"", pkttype == PKT_OLD_COMMENT?
"OpenPGP draft " : "" );
for(p=packet->pkt.comment->data; n; p++, n-- ) {
--- 2087,2106 ----
parse_comment( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *packet )
{
byte *p;
+ size_t sz = sizeof *packet->pkt.comment + pktlen - 1;

! if (sz < pktlen) {
! log_error("packet(%d) too big (%lu)\n", pkttype, (ulong)pktlen);
! g10_exit (126);
! }
! packet->pkt.comment = xmalloc(sz);
packet->pkt.comment->len = pktlen;
p = packet->pkt.comment->data;
for( ; pktlen; pktlen--, p++ )
*p = iobuf_get_noeof(inp);

if( list_mode ) {
! size_t n = packet->pkt.comment->len;
fprintf (listfp, ":%scomment packet: \"", pkttype == PKT_OLD_COMMENT?
"OpenPGP draft " : "" );
for(p=packet->pkt.comment->data; n; p++, n-- ) {

--
Troy Bollinger <troy@austin.ibm.com>
Network Security Analyst
PGP keyid: 1024/0xB7783129
Troy's opinions are not IBM policy

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
Re: [Dailydave] GnuPG 1.4.4 fun [ In reply to ]
On Tue, 25 Jul 2006 02:49, Troy Bollinger said:

> I think there are similar problems with xmalloc() arguments in:
>
> parse_gpg_control
> create_gpg_control
> parse_plaintext

Right after fixing the recent UID integer overflow I walked over the
code and figured out the mallocs in need of a fix. Most of them are
already fixed a few need more investigation.

The easiest fix is to limit the packet length to a reasonable value
right after parsing the packet header.


Thanks,

Werner


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel