security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-21 14:47:03 +01:00
Code Activity

gpg: Fix off-by-one read in the attribute subpacket parser.

Browse Source 
* g10/parse-packet.c (parse_attribute_subpkts): Check that the
attribute packet is large enough for the subpacket type.
--

Reported-by: Hanno Böck
Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2014-11-24 17:28:25 +01:00
parent b716e6a699
commit 0988764397
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
g10/parse-packet.c
View File

@ -2359,8 +2359,16 @@ parse_attribute_subpkts (PKT_user_id * uid)
if (buflen < n) if (buflen < n)
goto too_short; goto too_short;
attribs = if (!n)
xrealloc (attribs, (count + 1) * sizeof (struct user_attribute)); {
/* Too short to encode the subpacket type. */
if (opt.verbose)
log_info ("attribute subpacket too short\n");
break;
}
attribs = xrealloc (attribs,
(count + 1) * sizeof (struct user_attribute));
memset (&attribs[count], 0, sizeof (struct user_attribute)); memset (&attribs[count], 0, sizeof (struct user_attribute));
type = *buffer; type = *buffer;