Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > media > main-src > by-pkgid > a05f635f8bbbe665ff06237a7c5ffdb8 > files > 8

gnupg-1.4.5-18.el5_10.src.rpm

diff -up gnupg-1.4.5/doc/DETAILS.nesting gnupg-1.4.5/doc/DETAILS
diff -up gnupg-1.4.5/g10/mainproc.c.nesting gnupg-1.4.5/g10/mainproc.c
--- gnupg-1.4.5/g10/mainproc.c.nesting	2013-10-09 16:25:31.740293935 +0200
+++ gnupg-1.4.5/g10/mainproc.c	2013-10-09 17:37:45.708161399 +0200
@@ -1,6 +1,7 @@
 /* mainproc.c - handle packets
  * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004,
  *               2005, 2006 Free Software Foundation, Inc.
+ * Copyright (C) 2013 Werner Koch
  *
  * This file is part of GnuPG.
  *
@@ -43,6 +44,11 @@
 #include "photoid.h"
 
 
+/* Put an upper limit on nested packets.  The 32 is an arbitrary
+   value, a much lower should actually be sufficient.  */
+#define MAX_NESTING_DEPTH 32
+
+
 struct kidlist_item {
     struct kidlist_item *next;
     u32 kid[2];
@@ -769,7 +775,7 @@ proc_encrypt_cb( IOBUF a, void *info )
     return proc_encryption_packets( info, a );
 }
 
-static void
+static int
 proc_compressed( CTX c, PACKET *pkt )
 {
     PKT_compressed *zd = pkt->pkt.compressed;
@@ -788,6 +794,7 @@ proc_compressed( CTX c, PACKET *pkt )
 	log_error("uncompressing failed: %s\n", g10_errstr(rc));
     free_packet(pkt);
     c->last_was_session_key = 0;
+    return rc;
 }
 
 /****************
@@ -1218,14 +1225,37 @@ proc_encryption_packets( void *anchor, I
 }
 
 
-int
+static int
+check_nesting (CTX c)
+{
+  int level;
+
+  for (level = 0; c; c = c->anchor)
+    level++;
+
+  if (level > MAX_NESTING_DEPTH)
+    {
+      log_error ("input data with too deeply nested packets\n");
+      write_status_text (STATUS_UNEXPECTED, "1");
+      return G10ERR_UNEXPECTED;
+    }
+  return 0;
+}
+
+
+static int
 do_proc_packets( CTX c, IOBUF a )
 {
-    PACKET *pkt = xmalloc( sizeof *pkt );
-    int rc=0;
-    int any_data=0;
+    PACKET *pkt;
+    int rc = 0;
+    int any_data = 0;
     int newpkt;
 
+    rc = check_nesting (c);
+    if (rc)
+      return rc;
+
+    pkt = xmalloc( sizeof *pkt );
     c->iobuf = a;
     init_packet(pkt);
     while( (rc=parse_packet(a, pkt)) != -1 ) {
@@ -1245,7 +1275,7 @@ do_proc_packets( CTX c, IOBUF a )
 	      case PKT_SYMKEY_ENC:  proc_symkey_enc( c, pkt ); break;
 	      case PKT_ENCRYPTED:
 	      case PKT_ENCRYPTED_MDC: proc_encrypted( c, pkt ); break;
-	      case PKT_COMPRESSED:  proc_compressed( c, pkt ); break;
+	      case PKT_COMPRESSED:  rc = proc_compressed( c, pkt ); break;
 	      default: newpkt = 0; break;
 	    }
 	}
@@ -1263,7 +1293,7 @@ do_proc_packets( CTX c, IOBUF a )
 		goto leave;
 	      case PKT_SIGNATURE:   newpkt = add_signature( c, pkt ); break;
 	      case PKT_PLAINTEXT:   proc_plaintext( c, pkt ); break;
-	      case PKT_COMPRESSED:  proc_compressed( c, pkt ); break;
+	      case PKT_COMPRESSED:  rc = proc_compressed( c, pkt ); break;
 	      case PKT_ONEPASS_SIG: newpkt = add_onepass_sig( c, pkt ); break;
               case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
 	      default: newpkt = 0; break;
@@ -1283,7 +1313,7 @@ do_proc_packets( CTX c, IOBUF a )
 	      case PKT_ENCRYPTED:
 	      case PKT_ENCRYPTED_MDC: proc_encrypted( c, pkt ); break;
 	      case PKT_PLAINTEXT:   proc_plaintext( c, pkt ); break;
-	      case PKT_COMPRESSED:  proc_compressed( c, pkt ); break;
+	      case PKT_COMPRESSED:  rc = proc_compressed( c, pkt ); break;
 	      case PKT_ONEPASS_SIG: newpkt = add_onepass_sig( c, pkt ); break;
 	      case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
 	      default: newpkt = 0; break;
@@ -1308,13 +1338,17 @@ do_proc_packets( CTX c, IOBUF a )
 	      case PKT_ENCRYPTED:
 	      case PKT_ENCRYPTED_MDC: proc_encrypted( c, pkt ); break;
 	      case PKT_PLAINTEXT:   proc_plaintext( c, pkt ); break;
-	      case PKT_COMPRESSED:  proc_compressed( c, pkt ); break;
+	      case PKT_COMPRESSED:  rc = proc_compressed( c, pkt ); break;
 	      case PKT_ONEPASS_SIG: newpkt = add_onepass_sig( c, pkt ); break;
               case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
 	      case PKT_RING_TRUST:  newpkt = add_ring_trust( c, pkt ); break;
 	      default: newpkt = 0; break;
 	    }
 	}
+
+        if (rc)
+          goto leave;
+
         /* This is a very ugly construct and frankly, I don't remember why
          * I used it.  Adding the MDC check here is a hack.
          * The right solution is to initiate another context for encrypted
diff -up gnupg-1.4.5/util/iobuf.c.nesting gnupg-1.4.5/util/iobuf.c
--- gnupg-1.4.5/util/iobuf.c.nesting	2006-07-31 11:22:48.000000000 +0200
+++ gnupg-1.4.5/util/iobuf.c	2013-10-10 14:08:27.740924762 +0200
@@ -52,6 +52,11 @@
 
 #undef FILE_FILTER_USES_STDIO
 
+/* To avoid a potential DoS with compression packets we better limit
+   the number of filters in a chain.  */
+#define MAX_NESTING_FILTER 64
+
+
 #ifdef HAVE_DOSISH_SYSTEM
 #define USE_SETMODE 1
 #endif
@@ -1349,6 +1354,12 @@ iobuf_push_filter2( IOBUF a,
 
     if( a->use == 2 && (rc=iobuf_flush(a)) )
 	return rc;
+
+    if (a->subno >= MAX_NESTING_FILTER) {
+        log_error ("i/o filter too deeply nested - corrupted data?\n");
+        return G10ERR_UNEXPECTED;
+    }
+
     /* make a copy of the current stream, so that
      * A is the new stream and B the original one.
      * The contents of the buffers are transferred to the

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional