mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
* parse-packet.c (parse_user_id): Cap the user ID size at 2048 bytes.
This prevents a memory allocation attack with a very large user ID. A very large packet length could even cause the allocation (a u32) to wrap around to a small number. Noted by Evgeny Legerov on full-disclosure.
This commit is contained in:
parent
49c31957f0
commit
91dbfce3b7
@ -1,3 +1,11 @@
|
||||
2006-06-09 David Shaw <dshaw@jabberwocky.com>
|
||||
|
||||
* parse-packet.c (parse_user_id): Cap the user ID size at 2048
|
||||
bytes. This prevents a memory allocation attack with a very large
|
||||
user ID. A very large packet length could even cause the
|
||||
allocation (a u32) to wrap around to a small number. Noted by
|
||||
Evgeny Legerov on full-disclosure.
|
||||
|
||||
2006-05-25 David Shaw <dshaw@jabberwocky.com>
|
||||
|
||||
* keygen.c (gen_dsa): Allow generating DSA2 keys
|
||||
|
@ -1982,6 +1982,20 @@ parse_user_id( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *packet )
|
||||
{
|
||||
byte *p;
|
||||
|
||||
/* Cap the size of a user ID at 2k: a value absurdly large enough
|
||||
that there is no sane user ID string (which is printable text
|
||||
as of RFC2440bis) that won't fit in it, but yet small enough to
|
||||
avoid allocation problems. A large pktlen may not be
|
||||
allocatable, and a very large pktlen could actually cause our
|
||||
allocation to wrap around in xmalloc to a small number. */
|
||||
|
||||
if(pktlen>2048)
|
||||
{
|
||||
log_error("packet(%d) too large\n", pkttype);
|
||||
iobuf_skip_rest(inp, pktlen, 0);
|
||||
return G10ERR_INVALID_PACKET;
|
||||
}
|
||||
|
||||
packet->pkt.user_id = xmalloc_clear(sizeof *packet->pkt.user_id + pktlen);
|
||||
packet->pkt.user_id->len = pktlen;
|
||||
packet->pkt.user_id->ref=1;
|
||||
|
Loading…
x
Reference in New Issue
Block a user