From 39978487863066e59bb657f5fe4e8baab510da7e Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 9 Feb 2015 10:21:19 +0100 Subject: [PATCH] gpg: Fix a NULL-deref due to empty ring trust packets. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * g10/parse-packet.c (parse_trust): Always allocate a packet. -- Reported-by: Hanno Böck Signed-off-by: Werner Koch Test data: gpg2 --no-default-keyring --keyring FILE --export With this unpacked data for FILE: -----BEGIN PGP ARMORED FILE----- Version: GnuPG v2 Comment: Use "gpg --dearmor" for unpacking mI0EVNP2zQEEALvETPVDCJDBXkegF4esiV1fqlne40yJnCmJeDEJYocwFPXfFA86 sSGjInzgDbpbC9gQPwq91Qe9x3Vy81CkyVonPOejhINlzfpzqAAa3A6viJccZTwt DJ8E/I9jg53sbYW8q+VgfLn1hlggH/XQRT0HkXMP5y9ClURYnTsNwJhXABEBAAG0 CXRlc3QgdGVzdIi5BBMBCgAjBQJU0/bNAhsDBwsJCAcDAgEGFQgCCQoLBBYCAwEC HgECF4AACgkQlsmuCapsqYLvtQP/byY0tM0Lc3moftbHQZ2eHj9ykLjsCjeMDfPx kZUUtUS3HQaqgZLZOeqPjM7XgGh5hJsd9pfhmRWJ0x+iGB47XQNpRTtdLBV/WMCS l5z3uW7e9Md7QVUVuSlJnBgQHTS6EgP8JQadPkAiF+jgpJZXP+gFs2j3gobS0qUF eyTtxs+wAAAD =puSt -----END PGP ARMORED FILE----- --- g10/parse-packet.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/g10/parse-packet.c b/g10/parse-packet.c index 524fabee1..012d37368 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -2596,11 +2596,11 @@ parse_trust (IOBUF inp, int pkttype, unsigned long pktlen, PACKET * pkt) (void) pkttype; + pkt->pkt.ring_trust = xmalloc (sizeof *pkt->pkt.ring_trust); if (pktlen) { c = iobuf_get_noeof (inp); pktlen--; - pkt->pkt.ring_trust = xmalloc (sizeof *pkt->pkt.ring_trust); pkt->pkt.ring_trust->trustval = c; pkt->pkt.ring_trust->sigcache = 0; if (!c && pktlen == 1) @@ -2619,6 +2619,8 @@ parse_trust (IOBUF inp, int pkttype, unsigned long pktlen, PACKET * pkt) } else { + pkt->pkt.ring_trust->trustval = 0; + pkt->pkt.ring_trust->sigcache = 0; if (list_mode) es_fprintf (listfp, ":trust packet: empty\n"); }