From 7a068ac50bc48de26e93cfeadf412b37257f97d5 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 24 Nov 2014 19:12:37 +0100 Subject: [PATCH] gpg: Fix off-by-one read in the attribute subpacket parser. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * g10/parse-packet.c (parse_attribute_subpkts): Check that the attribute packet is large enough for the subpacket type. -- Reported-by: Hanno Böck Signed-off-by: Werner Koch (backported from commit 0988764397f99db4efef1eabcdb8072d6159af76) --- g10/parse-packet.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/g10/parse-packet.c b/g10/parse-packet.c index f1d7f7131..99ff7b7b1 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -2102,6 +2102,14 @@ parse_attribute_subpkts(PKT_user_id *uid) if( buflen < n ) goto too_short; + if (!n) + { + /* Too short to encode the subpacket type. */ + if (opt.verbose) + log_info ("attribute subpacket too short\n"); + break; + } + attribs=xrealloc(attribs,(count+1)*sizeof(struct user_attribute)); memset(&attribs[count],0,sizeof(struct user_attribute));