From 30635dd4330a192fa2b6e202a0e2490eba599a93 Mon Sep 17 00:00:00 2001 From: Panu Matilainen <pmatilai@redhat.com> Date: Fri, 30 Sep 2011 15:28:00 +0300 Subject: [PATCH] Sanity check OpenPGP packet lengths in pgpPrtSubType() - Sub-packet prefix length + packet length can't very well be larger than the remaining packet length. In addition to sanity checking, return an error code and have callers actually check for it. - Fixes (yet another) segfault on malformed package (RhBug:742499) --- rpmio/rpmpgp.c | 11 ++++++++--- 1 files changed, 8 insertions(+), 3 deletions(-) diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c index 3da6771..14afc91 100644 --- a/rpmio/rpmpgp.c +++ b/rpmio/rpmpgp.c @@ -488,6 +488,9 @@ static int pgpPrtSubType(const uint8_t *h, size_t hlen, pgpSigType sigtype, while (hlen > 0) { i = pgpLen(p, &plen); + if (i + plen > hlen) + break; + p += i; hlen -= i; @@ -570,7 +573,7 @@ static int pgpPrtSubType(const uint8_t *h, size_t hlen, pgpSigType sigtype, p += plen; hlen -= plen; } - return 0; + return (hlen != 0); /* non-zero hlen is an error */ } static const char * const pgpSigRSA[] = { @@ -729,7 +732,8 @@ fprintf(stderr, " hash[%zu] -- %s\n", plen, pgpHexStr(p, plen)); _digp->hashlen = sizeof(*v) + plen; _digp->hash = memcpy(xmalloc(_digp->hashlen), v, _digp->hashlen); } - (void) pgpPrtSubType(p, plen, v->sigtype, _digp); + if (pgpPrtSubType(p, plen, v->sigtype, _digp)) + return 1; p += plen; plen = pgpGrab(p,2); @@ -740,7 +744,8 @@ fprintf(stderr, " hash[%zu] -- %s\n", plen, pgpHexStr(p, plen)); if (_debug && _print) fprintf(stderr, " unhash[%zu] -- %s\n", plen, pgpHexStr(p, plen)); - (void) pgpPrtSubType(p, plen, v->sigtype, _digp); + if (pgpPrtSubType(p, plen, v->sigtype, _digp)) + return 1; p += plen; plen = pgpGrab(p,2); -- 1.7.4.1