gpg: Fix double free with anonymous recipients.

* g10/pubkey-enc.c (get_session_key): Do not release SK. -- Bug is in 2.2.18 only. The semantics of the enum_secret_keys function changed in master. When back porting this for 2.2.18 I missed this change and thus we ran into a double free. The patches fixes the regression but is it clumsy. We need to change the enum_secret_keys interface to avoid such a surprising behaviour; this needs to be done in master first. Regression-due-to: 9a317557c5 GnuPG-bug-id: 4762 Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-02 22:46:30 +02:00 · 2019-11-29 17:44:12 +01:00 · 2019-11-29 17:44:12 +01:00 · 9ac182f376
commit 9ac182f376
parent 80971adbc1
2 changed files with 11 additions and 4 deletions
--- a/g10/pubkey-enc.c
+++ b/g10/pubkey-enc.c
@ -114,11 +114,11 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek)

      for (;;)
        {
-          free_public_key (sk);
          sk = xmalloc_clear (sizeof *sk);
          rc = enum_secret_keys (ctrl, &enum_context, sk);
          if (rc)
            {
+              sk = NULL;  /* enum_secret_keys turns SK into a shallow copy! */
              rc = GPG_ERR_NO_SECKEY;
              break;
            }
@ -148,10 +148,14 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek)
            {
              if (!opt.quiet)
                log_info (_("okay, we are the anonymous recipient.\n"));
+              sk = NULL;
              break;
            }
          else if (gpg_err_code (rc) == GPG_ERR_FULLY_CANCELED)
-            break; /* Don't try any more secret keys.  */
+            {
+              sk = NULL;
+              break; /* Don't try any more secret keys.  */
+            }
        }
      enum_secret_keys (ctrl, &enum_context, NULL);  /* free context */
    }