Fix buffer overflow in openpgp_oid_to_str.

* common/openpgp-oid.c (openpgp_oid_to_str): Fix unsigned underflow. * common/t-openpgp-oid.c (BADOID): New. (test_openpgp_oid_to_str): Add test cases. -- The code has an obvious error by not considering invalid encoding for arc-2. A first byte of 0x80 can be used to make a value of less then 80 and we then subtract 80 from that value as required by the OID encoding rules. Due to the unsigned integer this results in a pretty long value which won't fit anymore into the allocated buffer. The fix is obvious. Also added a few simple test cases. Note that we keep on using sprintf instead of snprintf because managing the remaining length of the buffer would probably be more error prone than assuring that the buffer is large enough. Getting rid of sprintf altogether by using direct conversion along with membuf_t like code might be possible. Reported-by: Hanno Böck Signed-off-by: Werner Koch <wk@gnupg.org> Ported from libksba commit f715b9e156dfa99ae829fc694e5a0abd23ef97d7
2024-06-18 00:49:50 +02:00 · 2014-11-25 11:58:56 +01:00 · 2014-11-25 11:58:56 +01:00 · 8445ef24fc
commit 8445ef24fc
parent 28dafd4714
2 changed files with 11 additions and 0 deletions
--- a/common/openpgp-oid.c
+++ b/common/openpgp-oid.c
@ -236,6 +236,8 @@ openpgp_oid_to_str (gcry_mpi_t a)
        val <<= 7;
        val |= buf[n] & 0x7f;
      }
+    if (val < 80)
+      goto badoid;
    val -= 80;
    sprintf (p, "2.%lu", val);
    p += strlen (p);
--- a/common/t-openpgp-oid.c
+++ b/common/t-openpgp-oid.c
@ -32,6 +32,9 @@
  } while(0)


+#define BADOID "1.3.6.1.4.1.11591.2.12242973"
+
+
 static void
 test_openpgp_oid_from_str (void)
 {
@ -108,6 +111,12 @@ test_openpgp_oid_to_str (void)
    { "1.3.132.0.35",
      { 5, 0x2B, 0x81, 0x04, 0x00, 0x23 }},

+    { BADOID,
+      { 9, 0x80, 0x02, 0x70, 0x50, 0x25, 0x46, 0xfd, 0x0c, 0xc0 }},
+
+    { BADOID,
+      { 1, 0x80 }},
+
    { NULL }};
  gcry_mpi_t a;
  int idx;