From 30635dd4330a192fa2b6e202a0e2490eba599a93 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Fri, 30 Sep 2011 15:28:00 +0300
Subject: [PATCH] Sanity check OpenPGP packet lengths in pgpPrtSubType()
- Sub-packet prefix length + packet length can't very well be larger
than the remaining packet length. In addition to sanity checking,
return an error code and have callers actually check for it.
- Fixes (yet another) segfault on malformed package (RhBug:742499)
---
rpmio/rpmpgp.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
index 3da6771..14afc91 100644
--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
@@ -488,6 +488,9 @@ static int pgpPrtSubType(const uint8_t *h, size_t hlen, pgpSigType sigtype,
while (hlen > 0) {
i = pgpLen(p, &plen);
+ if (i + plen > hlen)
+ break;
+
p += i;
hlen -= i;
@@ -570,7 +573,7 @@ static int pgpPrtSubType(const uint8_t *h, size_t hlen, pgpSigType sigtype,
p += plen;
hlen -= plen;
}
- return 0;
+ return (hlen != 0); /* non-zero hlen is an error */
}
static const char * const pgpSigRSA[] = {
@@ -729,7 +732,8 @@ fprintf(stderr, " hash[%zu] -- %s\n", plen, pgpHexStr(p, plen));
_digp->hashlen = sizeof(*v) + plen;
_digp->hash = memcpy(xmalloc(_digp->hashlen), v, _digp->hashlen);
}
- (void) pgpPrtSubType(p, plen, v->sigtype, _digp);
+ if (pgpPrtSubType(p, plen, v->sigtype, _digp))
+ return 1;
p += plen;
plen = pgpGrab(p,2);
@@ -740,7 +744,8 @@ fprintf(stderr, " hash[%zu] -- %s\n", plen, pgpHexStr(p, plen));
if (_debug && _print)
fprintf(stderr, " unhash[%zu] -- %s\n", plen, pgpHexStr(p, plen));
- (void) pgpPrtSubType(p, plen, v->sigtype, _digp);
+ if (pgpPrtSubType(p, plen, v->sigtype, _digp))
+ return 1;
p += plen;
plen = pgpGrab(p,2);
--
1.7.4.1
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
2d27fe3dff73e21c1aac97aebe0dff40
>
files
>
29
