diff -up gnupg-1.4.5/doc/DETAILS.nesting gnupg-1.4.5/doc/DETAILS diff -up gnupg-1.4.5/g10/mainproc.c.nesting gnupg-1.4.5/g10/mainproc.c --- gnupg-1.4.5/g10/mainproc.c.nesting 2013-10-09 16:25:31.740293935 +0200 +++ gnupg-1.4.5/g10/mainproc.c 2013-10-09 17:37:45.708161399 +0200 @@ -1,6 +1,7 @@ /* mainproc.c - handle packets * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, * 2005, 2006 Free Software Foundation, Inc. + * Copyright (C) 2013 Werner Koch * * This file is part of GnuPG. * @@ -43,6 +44,11 @@ #include "photoid.h" +/* Put an upper limit on nested packets. The 32 is an arbitrary + value, a much lower should actually be sufficient. */ +#define MAX_NESTING_DEPTH 32 + + struct kidlist_item { struct kidlist_item *next; u32 kid[2]; @@ -769,7 +775,7 @@ proc_encrypt_cb( IOBUF a, void *info ) return proc_encryption_packets( info, a ); } -static void +static int proc_compressed( CTX c, PACKET *pkt ) { PKT_compressed *zd = pkt->pkt.compressed; @@ -788,6 +794,7 @@ proc_compressed( CTX c, PACKET *pkt ) log_error("uncompressing failed: %s\n", g10_errstr(rc)); free_packet(pkt); c->last_was_session_key = 0; + return rc; } /**************** @@ -1218,14 +1225,37 @@ proc_encryption_packets( void *anchor, I } -int +static int +check_nesting (CTX c) +{ + int level; + + for (level = 0; c; c = c->anchor) + level++; + + if (level > MAX_NESTING_DEPTH) + { + log_error ("input data with too deeply nested packets\n"); + write_status_text (STATUS_UNEXPECTED, "1"); + return G10ERR_UNEXPECTED; + } + return 0; +} + + +static int do_proc_packets( CTX c, IOBUF a ) { - PACKET *pkt = xmalloc( sizeof *pkt ); - int rc=0; - int any_data=0; + PACKET *pkt; + int rc = 0; + int any_data = 0; int newpkt; + rc = check_nesting (c); + if (rc) + return rc; + + pkt = xmalloc( sizeof *pkt ); c->iobuf = a; init_packet(pkt); while( (rc=parse_packet(a, pkt)) != -1 ) { @@ -1245,7 +1275,7 @@ do_proc_packets( CTX c, IOBUF a ) case PKT_SYMKEY_ENC: proc_symkey_enc( c, pkt ); break; case PKT_ENCRYPTED: case PKT_ENCRYPTED_MDC: proc_encrypted( c, pkt ); break; - case PKT_COMPRESSED: proc_compressed( c, pkt ); break; + case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break; default: newpkt = 0; break; } } @@ -1263,7 +1293,7 @@ do_proc_packets( CTX c, IOBUF a ) goto leave; case PKT_SIGNATURE: newpkt = add_signature( c, pkt ); break; case PKT_PLAINTEXT: proc_plaintext( c, pkt ); break; - case PKT_COMPRESSED: proc_compressed( c, pkt ); break; + case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break; case PKT_ONEPASS_SIG: newpkt = add_onepass_sig( c, pkt ); break; case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break; default: newpkt = 0; break; @@ -1283,7 +1313,7 @@ do_proc_packets( CTX c, IOBUF a ) case PKT_ENCRYPTED: case PKT_ENCRYPTED_MDC: proc_encrypted( c, pkt ); break; case PKT_PLAINTEXT: proc_plaintext( c, pkt ); break; - case PKT_COMPRESSED: proc_compressed( c, pkt ); break; + case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break; case PKT_ONEPASS_SIG: newpkt = add_onepass_sig( c, pkt ); break; case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break; default: newpkt = 0; break; @@ -1308,13 +1338,17 @@ do_proc_packets( CTX c, IOBUF a ) case PKT_ENCRYPTED: case PKT_ENCRYPTED_MDC: proc_encrypted( c, pkt ); break; case PKT_PLAINTEXT: proc_plaintext( c, pkt ); break; - case PKT_COMPRESSED: proc_compressed( c, pkt ); break; + case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break; case PKT_ONEPASS_SIG: newpkt = add_onepass_sig( c, pkt ); break; case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break; case PKT_RING_TRUST: newpkt = add_ring_trust( c, pkt ); break; default: newpkt = 0; break; } } + + if (rc) + goto leave; + /* This is a very ugly construct and frankly, I don't remember why * I used it. Adding the MDC check here is a hack. * The right solution is to initiate another context for encrypted diff -up gnupg-1.4.5/util/iobuf.c.nesting gnupg-1.4.5/util/iobuf.c --- gnupg-1.4.5/util/iobuf.c.nesting 2006-07-31 11:22:48.000000000 +0200 +++ gnupg-1.4.5/util/iobuf.c 2013-10-10 14:08:27.740924762 +0200 @@ -52,6 +52,11 @@ #undef FILE_FILTER_USES_STDIO +/* To avoid a potential DoS with compression packets we better limit + the number of filters in a chain. */ +#define MAX_NESTING_FILTER 64 + + #ifdef HAVE_DOSISH_SYSTEM #define USE_SETMODE 1 #endif @@ -1349,6 +1354,12 @@ iobuf_push_filter2( IOBUF a, if( a->use == 2 && (rc=iobuf_flush(a)) ) return rc; + + if (a->subno >= MAX_NESTING_FILTER) { + log_error ("i/o filter too deeply nested - corrupted data?\n"); + return G10ERR_UNEXPECTED; + } + /* make a copy of the current stream, so that * A is the new stream and B the original one. * The contents of the buffers are transferred to the