gpg: Fix regression in --locate-keys (in 2.1.9).

* g10/getkey.c (getkey_ctx_s): Add field "extra_list". (get_pubkey_byname): Store strings in the context. (getkey_end): Free EXTRA_LIST. -- This fixes a use-after-free bug. It showed up with: gpg --auto-key-locate local --locate-key wk@gnupg.org The key was shown but also all other following keys in the keyring. Bisecting showed d47e84946e as culprit but the actual cause was a part of: Regression-due-to: b06f96ba4f Signed-off-by: Werner Koch <wk@gnupg.org>
2015-11-13 12:56:13 +01:00 · 2015-11-13 12:56:13 +01:00 · 7e59fb21f7
parent 2038adf16d
commit 7e59fb21f7
1 changed files with 13 additions and 1 deletions
--- a/g10/getkey.c
+++ b/g10/getkey.c
@ -77,6 +77,10 @@ struct getkey_ctx_s
     released using getkey_end()).  */
  int not_allocated;

+  /* This variable is used as backing store for strings which have
+     their address used in ITEMS.  */
+  strlist_t extra_list;
+
  /* Part of the search criteria: The low-level search specification
     as passed to keydb_search.  */
  int nitems;
@ -1028,7 +1032,14 @@ get_pubkey_byname (ctrl_t ctrl, GETKEY_CTX * retctx, PKT_public_key * pk,
      *retctx = NULL;
    }

-  free_strlist (namelist);
+  if (retctx && *retctx)
+    {
+      assert (!(*retctx)->extra_list);
+      (*retctx)->extra_list = namelist;
+    }
+  else
+    free_strlist (namelist);
+
  return rc;
 }

@ -1279,6 +1290,7 @@ getkey_end (getkey_ctx_t ctx)
  if (ctx)
    {
      keydb_release (ctx->kr_handle);
+      free_strlist (ctx->extra_list);
      if (!ctx->not_allocated)
 	xfree (ctx);
    }