security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-02 22:46:30 +02:00
Code Activity

gpg: Do not allow creation of user ids larger than our parser allows.

Browse source 
* g10/parse-packet.c: Move max packet lengths constants to ...
* g10/packet.h: ... here.
* g10/build-packet.c (do_user_id): Return an error if too data is too
large.
* g10/keygen.c (write_uid): Return an error for too large data.
--

This can lead to keyring corruption becuase we expect that our parser
is abale to parse packts created by us.  Test case is

  gpg --batch --passphrase 'abc' -v  \
      --quick-gen-key $(yes 'a'| head -4000|tr -d '\n')

GnuPG-bug-id: 4532
Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2019-05-21 16:25:56 +02:00
parent 6e39541f4f
commit d32963eeb3
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
4 changed files with 31 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

33
g10/keygen.c
View file

@ -218,18 +218,22 @@ print_status_key_not_created (const char *handle)
static void
write_uid( KBNODE root, const char *s )
static gpg_error_t
write_uid (kbnode_t root, const char *s)
{
PACKET *pkt = xmalloc_clear(sizeof *pkt );
size_t n = strlen(s);
PACKET *pkt = xmalloc_clear (sizeof *pkt);
size_t n = strlen (s);
pkt->pkttype = PKT_USER_ID;
pkt->pkt.user_id = xmalloc_clear (sizeof *pkt->pkt.user_id + n);
pkt->pkt.user_id->len = n;
pkt->pkt.user_id->ref = 1;
strcpy(pkt->pkt.user_id->name, s);
add_kbnode( root, new_kbnode( pkt ) );
if (n > MAX_UID_PACKET_LENGTH - 10)
return gpg_error (GPG_ERR_INV_USER_ID);
pkt->pkttype = PKT_USER_ID;
pkt->pkt.user_id = xmalloc_clear (sizeof *pkt->pkt.user_id + n);
pkt->pkt.user_id->len = n;
pkt->pkt.user_id->ref = 1;
strcpy (pkt->pkt.user_id->name, s);
add_kbnode (root, new_kbnode (pkt));
return 0;
}
static void
@ -4751,10 +4755,11 @@ do_generate_keypair (ctrl_t ctrl, struct para_data_s *para,
if (!err && (s = get_parameter_value (para, pUSERID)))
{
write_uid (pub_root, s );
err = write_selfsigs (ctrl, pub_root, pri_psk,
get_parameter_uint (para, pKEYUSAGE), timestamp,
cache_nonce);
err = write_uid (pub_root, s );
if (!err)
err = write_selfsigs (ctrl, pub_root, pri_psk,
get_parameter_uint (para, pKEYUSAGE), timestamp,
cache_nonce);
}
/* Write the auth key to the card before the encryption key. This