From b4f553c1ca5ff451de249c00400c6e1a7d7c0d81 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Sun, 4 Feb 2007 17:20:24 +0000 Subject: [PATCH] Fix for Debian bug 402592 --- g10/ChangeLog | 5 +++++ g10/parse-packet.c | 22 +++++++++++++++++++--- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/g10/ChangeLog b/g10/ChangeLog index 44f7dbccb..e9632bb77 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,8 @@ +2007-02-04 Werner Koch + + * parse-packet.c (parse_signature): Limit bytes read for an + unknown alogorithm. Fixes Debian bug#402592. + 2007-02-01 David Shaw * main.h, keygen.c (ask_expire_interval, parse_expire_string): diff --git a/g10/parse-packet.c b/g10/parse-packet.c index ed4db4335..639115252 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -38,6 +38,11 @@ #include "main.h" #include "i18n.h" +#ifndef MAX_EXTERN_MPI_BITS +#define MAX_EXTERN_MPI_BITS 16384 +#endif + + static int mpi_print_mode; static int list_mode; static FILE *listfp; @@ -1437,10 +1442,21 @@ parse_signature( IOBUF inp, int pkttype, unsigned long pktlen, if( list_mode ) fprintf (listfp, "\tunknown algorithm %d\n", sig->pubkey_algo ); unknown_pubkey_warning( sig->pubkey_algo ); - /* we store the plain material in data[0], so that we are able + /* We store the plain material in data[0], so that we are able * to write it back with build_packet() */ - sig->data[0]= mpi_set_opaque(NULL, read_rest(inp, pktlen, 0), pktlen ); - pktlen = 0; + if (pktlen > (5 * MAX_EXTERN_MPI_BITS/8)) + { + /* However we include a limit to avoid too trivial DoS + attacks by having gpg allocate too much memory. */ + log_error ("signature packet: too much data\n"); + rc = G10ERR_INVALID_PACKET; + } + else + { + sig->data[0]= mpi_set_opaque (NULL, read_rest(inp, pktlen, 0), + pktlen ); + pktlen = 0; + } } else { for( i=0; i < ndata; i++ ) {