Fix for Debian bug 402592

2025-01-21 14:47:03 +01:00 · 2007-02-04 17:23:00 +00:00 · 2007-02-04 17:23:00 +00:00 · 1c2a81fcee
commit 1c2a81fcee
parent 7759f3017e
2 changed files with 18 additions and 3 deletions
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@ -1,3 +1,8 @@
+2007-02-04  Werner Koch  <wk@g10code.com>
+
+	* parse-packet.c (parse_signature): Limit bytes read for an
+	unknown alogorithm.  Fixes Debian bug#402592.
+
 2007-01-31  Werner Koch  <wk@g10code.com>

 	* verify.c (verify_signatures): Do no dereference a NULL afx.
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@ -1494,10 +1494,20 @@ parse_signature( IOBUF inp, int pkttype, unsigned long pktlen,
 	unknown_pubkey_warning( sig->pubkey_algo );
 	/* We store the plain material in data[0], so that we are able
 	 * to write it back with build_packet() */
+        if (pktlen > (5 * MAX_EXTERN_MPI_BITS/8))
+          {
+            /* However we include a limit to avoid too trivial DoS
+               attacks by having gpg allocate too much memory.  */
+	    log_error ("signature packet: too much data\n");
+	    rc = G10ERR_INVALID_PACKET;
+          }
+        else
+          {
            sig->data[0]= gcry_mpi_set_opaque (NULL, read_rest(inp, pktlen, 0),
                                               pktlen*8 );
            pktlen = 0;
          }
+    }
    else {
 	for( i=0; i < ndata; i++ ) {
 	    n = pktlen;