gpg: Fix uninitialized access to search descindex with gpg keyboxes.

* kbx/keybox-search.c (keybox_search): Add arg R_DESCINDEX. Chnage both callers. * g10/keydb.c (keydb_search): Always set DESCINDEX. -- This only affects the new keybox for OpenPGP keys in 2.1. The bug exhibited itself by running GPA's backup command on Windows.
2014-05-14 16:32:49 +02:00 · 2014-05-14 16:32:49 +02:00 · 25036ec6ab
parent 71fa6a3510
commit 25036ec6ab
4 changed files with 15 additions and 6 deletions
--- a/g10/keydb.c
+++ b/g10/keydb.c
@ -1319,6 +1319,9 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc,
 {
  gpg_error_t rc;

+  if (descindex)
+    *descindex = 0; /* Make sure it is always set on return.  */
+
  if (!hd)
    return gpg_error (GPG_ERR_INV_ARG);

@ -1333,6 +1336,7 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc,
      && keyblock_cache.kid[0] == desc[0].u.kid[0]
      && keyblock_cache.kid[1] == desc[0].u.kid[1])
    {
+      /* (DESCINDEX is already set).  */
      if (DBG_CLOCK)
        log_clock ("keydb_search leave (cached)");
      return 0;
@ -1352,7 +1356,8 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc,
                               ndesc, descindex);
          break;
        case KEYDB_RESOURCE_TYPE_KEYBOX:
-          rc = keybox_search (hd->active[hd->current].u.kb, desc, ndesc);
+          rc = keybox_search (hd->active[hd->current].u.kb, desc,
+                              ndesc, descindex);
          break;
        }
      if (rc == -1 || gpg_err_code (rc) == GPG_ERR_EOF)
--- a/kbx/keybox-search.c
+++ b/kbx/keybox-search.c
@ -720,7 +720,8 @@ keybox_search_reset (KEYBOX_HANDLE hd)
 /* Note: When in ephemeral mode the search function does visit all
   blobs but in standard mode, blobs flagged as ephemeral are ignored.  */
 int
-keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc)
+keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc,
+               size_t *r_descindex)
 {
  int rc;
  size_t n;
@ -945,6 +946,10 @@ keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc)
 	}
      continue;
    found:
+      /* Record which DESC we matched on.  Note this value is only
+	 meaningful if this function returns with no errors. */
+      if(r_descindex)
+	*r_descindex = n;
      for (n=any_skip?0:ndesc; n < ndesc; n++)
        {
 /*            if (desc[n].skipfnc */
--- a/kbx/keybox.h
+++ b/kbx/keybox.h
@ -83,7 +83,8 @@ int keybox_get_cert (KEYBOX_HANDLE hd, ksba_cert_t *ret_cert);
 int keybox_get_flags (KEYBOX_HANDLE hd, int what, int idx, unsigned int *value);

 int keybox_search_reset (KEYBOX_HANDLE hd);
-int keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc);
+int keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc,
+                   size_t *r_descindex);


 /*-- keybox-update.c --*/
@ -109,8 +110,6 @@ int keybox_compress (KEYBOX_HANDLE hd);

 #if 0
 int keybox_locate_writable (KEYBOX_HANDLE hd);
-int keybox_search_reset (KEYBOX_HANDLE hd);
-int keybox_search (KEYBOX_HANDLE hd, KEYDB_SEARCH_DESC *desc, size_t ndesc);
 int keybox_rebuild_cache (void *);
 #endif

--- a/sm/keydb.c
+++ b/sm/keydb.c
@ -798,7 +798,7 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc, size_t ndesc)
          BUG(); /* we should never see it here */
          break;
        case KEYDB_RESOURCE_TYPE_KEYBOX:
-          rc = keybox_search (hd->active[hd->current].u.kr, desc, ndesc);
+          rc = keybox_search (hd->active[hd->current].u.kr, desc, ndesc, NULL);
          break;
        }
      if (rc == -1) /* EOF -> switch to next resource */