security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-02-01 16:33:02 +01:00
Code Activity

gpg: Avoid NULL ptr access due to corrupted packets.

Browse Source 
* g10/parse-packet.c (parse_signature): Do not create an opaque MPI
with NULL and length > 0
(parse_key): Ditto.
--

GnuPG-bug-id: 5940, 5946
This commit is contained in:
Werner Koch 2022-04-25 15:21:05 +02:00
parent 9c0a24b4a5
commit 86d84464ae
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
g10/parse-packet.c
View File

@ -2290,8 +2290,10 @@ parse_signature (IOBUF inp, int pkttype, unsigned long pktlen,
} }
else else
{ {
sig->data[0] = void *tmpp;
gcry_mpi_set_opaque (NULL, read_rest (inp, pktlen), pktlen * 8);
tmpp = read_rest (inp, pktlen);
sig->data[0] = gcry_mpi_set_opaque (NULL, tmpp, tmpp? pktlen * 8 : 0);
pktlen = 0; pktlen = 0;
} }
} }
@ -2499,8 +2501,10 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen,
if (!npkey) if (!npkey)
{ {
/* Unknown algorithm - put data into an opaque MPI. */ /* Unknown algorithm - put data into an opaque MPI. */
pk->pkey[0] = gcry_mpi_set_opaque (NULL, void *tmpp = read_rest (inp, pktlen);
read_rest (inp, pktlen), pktlen * 8); /* Current gcry_mpi_cmp does not handle a (NULL,n>0) nicely and
* thus we avoid to create such an MPI. */
pk->pkey[0] = gcry_mpi_set_opaque (NULL, tmpp, tmpp? pktlen * 8 : 0);
pktlen = 0; pktlen = 0;
goto leave; goto leave;
} }
@ -2764,6 +2768,8 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen,
} }
else if (ski->is_protected) else if (ski->is_protected)
{ {
void *tmpp;
if (pktlen < 2) /* At least two bytes for the length. */ if (pktlen < 2) /* At least two bytes for the length. */
{ {
err = gpg_error (GPG_ERR_INV_PACKET); err = gpg_error (GPG_ERR_INV_PACKET);
@ -2773,9 +2779,10 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen,
/* Ugly: The length is encrypted too, so we read all stuff /* Ugly: The length is encrypted too, so we read all stuff
* up to the end of the packet into the first SKEY * up to the end of the packet into the first SKEY
* element. */ * element. */
tmpp = read_rest (inp, pktlen);
pk->pkey[npkey] = gcry_mpi_set_opaque (NULL, pk->pkey[npkey] = gcry_mpi_set_opaque (NULL,
read_rest (inp, pktlen), tmpp, tmpp? pktlen * 8 : 0);
pktlen * 8);
/* Mark that MPI as protected - we need this information for /* Mark that MPI as protected - we need this information for
importing a key. The OPAQUE flag can't be used because importing a key. The OPAQUE flag can't be used because
we also store public EdDSA values in opaque MPIs. */ we also store public EdDSA values in opaque MPIs. */