security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-04-17 15:44:34 +02:00
Code Activity

gpg: Fix double free with anonymous recipients.

Browse Source 
* g10/pubkey-enc.c (get_session_key): Do not release SK.
--

Bug is in 2.2.18 only.

The semantics of the enum_secret_keys function changed in master.
When back porting this for 2.2.18 I missed this change and thus we ran
into a double free.  The patches fixes the regression but is it clumsy.
We need to change the enum_secret_keys interface to avoid such a
surprising behaviour; this needs to be done in master first.

Regression-due-to: 9a317557c58d2bdcc504b70c366b77f4cac71df7
GnuPG-bug-id: 4762
Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2019-11-29 17:44:12 +01:00
parent 80971adbc1
commit 9ac182f376
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
g10/pubkey-enc.c
View File

@ -114,11 +114,11 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek)
for (;;) for (;;)
{ {
free_public_key (sk);
sk = xmalloc_clear (sizeof *sk); sk = xmalloc_clear (sizeof *sk);
rc = enum_secret_keys (ctrl, &enum_context, sk); rc = enum_secret_keys (ctrl, &enum_context, sk);
if (rc) if (rc)
{ {
sk = NULL; /* enum_secret_keys turns SK into a shallow copy! */
rc = GPG_ERR_NO_SECKEY; rc = GPG_ERR_NO_SECKEY;
break; break;
} }
@ -148,10 +148,14 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek)
{ {
if (!opt.quiet) if (!opt.quiet)
log_info (_("okay, we are the anonymous recipient.\n")); log_info (_("okay, we are the anonymous recipient.\n"));
sk = NULL;
break; break;
} }
else if (gpg_err_code (rc) == GPG_ERR_FULLY_CANCELED) else if (gpg_err_code (rc) == GPG_ERR_FULLY_CANCELED)
break; /* Don't try any more secret keys. */ {
sk = NULL;
break; /* Don't try any more secret keys. */
}
} }
enum_secret_keys (ctrl, &enum_context, NULL); /* free context */ enum_secret_keys (ctrl, &enum_context, NULL); /* free context */
} }

7
g10/skclist.c
View File

@ -292,14 +292,17 @@ build_sk_list (ctrl_t ctrl,
* --default-key and --try-secret-key). Use the following procedure: * --default-key and --try-secret-key). Use the following procedure:
* *
* 1) Initialize a void pointer to NULL * 1) Initialize a void pointer to NULL
* 2) Pass a reference to this pointer to this function (content) * 2) Pass a reference to this pointer to this function (CONTEXT)
* and provide space for the secret key (sk) * and provide space for the secret key (SK)
* 3) Call this function as long as it does not return an error (or * 3) Call this function as long as it does not return an error (or
* until you are done). The error code GPG_ERR_EOF indicates the * until you are done). The error code GPG_ERR_EOF indicates the
* end of the listing. * end of the listing.
* 4) Call this function a last time with SK set to NULL, * 4) Call this function a last time with SK set to NULL,
* so that can free it's context. * so that can free it's context.
* *
* TAKE CARE: When the function returns SK belongs to CONTEXT and may
* not be freed by the caller; neither on success nor on error.
*
* In pseudo-code: * In pseudo-code:
* *
* void *ctx = NULL; * void *ctx = NULL;