From 9a1e195348daa9f719d34fdf4e4d6bfce4c8fb3e Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 21 Jul 2014 13:50:36 +0200 Subject: [PATCH] gpg: Cap size of attribute packets at 16MB. * g10/parse-packet.c (parse_attribute): Avoid xmalloc failure and cap size of packet. -- Tavis Ormandy reported a fatal error for attribute packets with a zero length payload. This is due to a check in Libgcrypt's xmalloc which rejects a malloc(0) instead of silently allocating 1 byte. The fix is obvious. In addition we cap the size of attribute packets similar to what we do with user id packets. OpenPGP keys are not the proper way to store movies. Resolved conflicts: g10/parse-packet.c - indentation. Use plain fprintf. --- g10/parse-packet.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/g10/parse-packet.c b/g10/parse-packet.c index ab4655d5f..f1d7f7131 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -2214,11 +2214,22 @@ parse_attribute( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *packet ) (void)pkttype; + /* We better cap the size of an attribute packet to make DoS not + too easy. 16MB should be more then enough for one attribute + packet (ie. a photo). */ + if (pktlen > 16*1024*1024) { + log_error ("packet(%d) too large\n", pkttype); + if (list_mode) + fprintf (listfp, ":attribute packet: [too large]\n"); + iobuf_skip_rest (inp, pktlen, 0); + return G10ERR_INVALID_PACKET; + } + #define EXTRA_UID_NAME_SPACE 71 packet->pkt.user_id = xmalloc_clear(sizeof *packet->pkt.user_id + EXTRA_UID_NAME_SPACE); packet->pkt.user_id->ref=1; - packet->pkt.user_id->attrib_data = xmalloc(pktlen); + packet->pkt.user_id->attrib_data = xmalloc(pktlen? pktlen:1); packet->pkt.user_id->attrib_len = pktlen; p = packet->pkt.user_id->attrib_data;