1
0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-25 15:27:03 +01:00

gpg: Graceful skip reading of corrupt MPIs.

* g10/parse-packet.c (mpi_read): Change error message on overflow.
--

This gets gpg 2.x in sync to what gpg 1.4 does.  No need to die for a
broken MPI.

GnuPG-bug-id: 1593
This commit is contained in:
Werner Koch 2014-06-02 18:38:04 +02:00
parent ce989354fb
commit 6af194038a

View File

@ -111,24 +111,31 @@ mpi_read (iobuf_t inp, unsigned int *ret_nread, int secure)
/*FIXME: Needs to be synced with gnupg14/mpi/mpicoder.c*/ /*FIXME: Needs to be synced with gnupg14/mpi/mpicoder.c*/
int c, c1, c2, i; int c, c1, c2, i;
unsigned int nmax = *ret_nread;
unsigned int nbits, nbytes; unsigned int nbits, nbytes;
size_t nread = 0; size_t nread = 0;
gcry_mpi_t a = NULL; gcry_mpi_t a = NULL;
byte *buf = NULL; byte *buf = NULL;
byte *p; byte *p;
if (!nmax)
goto overflow;
if ( (c = c1 = iobuf_get (inp)) == -1 ) if ( (c = c1 = iobuf_get (inp)) == -1 )
goto leave; goto leave;
if (++nread == nmax)
goto overflow;
nbits = c << 8; nbits = c << 8;
if ( (c = c2 = iobuf_get (inp)) == -1 ) if ( (c = c2 = iobuf_get (inp)) == -1 )
goto leave; goto leave;
++nread;
nbits |= c; nbits |= c;
if ( nbits > MAX_EXTERN_MPI_BITS ) if ( nbits > MAX_EXTERN_MPI_BITS )
{ {
log_error("mpi too large (%u bits)\n", nbits); log_error("mpi too large (%u bits)\n", nbits);
goto leave; goto leave;
} }
nread = 2;
nbytes = (nbits+7) / 8; nbytes = (nbits+7) / 8;
buf = secure ? gcry_xmalloc_secure (nbytes + 2) : gcry_xmalloc (nbytes + 2); buf = secure ? gcry_xmalloc_secure (nbytes + 2) : gcry_xmalloc (nbytes + 2);
p = buf; p = buf;
@ -137,6 +144,8 @@ mpi_read (iobuf_t inp, unsigned int *ret_nread, int secure)
for ( i=0 ; i < nbytes; i++ ) for ( i=0 ; i < nbytes; i++ )
{ {
p[i+2] = iobuf_get(inp) & 0xff; p[i+2] = iobuf_get(inp) & 0xff;
if (nread == nmax)
goto overflow;
nread++; nread++;
} }
@ -152,12 +161,15 @@ mpi_read (iobuf_t inp, unsigned int *ret_nread, int secure)
a = NULL; a = NULL;
} }
leave:
gcry_free(buf);
if ( nread > *ret_nread )
log_bug ("mpi larger than packet");
else
*ret_nread = nread; *ret_nread = nread;
gcry_free(buf);
return a;
overflow:
log_error ("mpi larger than indicated length (%u bits)\n", 8*nmax);
leave:
*ret_nread = nread;
gcry_free(buf);
return a; return a;
} }