Page MenuHome GnuPG

A NULL pointer may be dereferenced in file "cipher/elgamal.c" inside function "generate_using_x" on line 387
Closed, ResolvedPublic


function : generate_using_x
Line of error:387

libgcrypt version 1.5.4 code:

p = _gcry_generate_elg_prime ( 0, nbits, qbits, g, ret_factors );

  mpi_sub_ui (p_min1, p, 1);

-> Here p is being allocated value by function '_gcry_generate_elg_prime'
which has a very high probability of returning value NULL. So 'p' which may have
a NULL value is being dereferenced ,a line below, at line 387 during call
'mpi_sub_ui (p_min1, p, 1);'

-> So an assert (gcry_assert) can be used to check 'p' for not being 'NULL' .

Modified Code:

p = _gcry_generate_elg_prime ( 0, nbits, qbits, g, ret_factors );

  gcry_assert (p);
  mpi_sub_ui (p_min1, p, 1);

I am adding a patch for the above mentioned bug's resolution.



Event Timeline

Thanks for looking at this. However, please do not file separate bug reports
for similar problems. This is just too much overhead. Frankly, I 'd would
appreciate that such audit results are send to the mailing list.

The suggested fix is not suitable because this function or its callers returns
an error code and should just do this. An assert is only to be used to make
sure that nothing unexpected happens. You have shown that this may indeed
happen (by using wrong call args or a malloc failure) and thus this needs more
work. Given that such NULL dereference are not a critical security problems,
this won't be fixed for old Libgcrypt versions as 1.5. Instead I will apply a
fix to master (1.7) and backport it to stable (1.6).

werner added a project: Restricted Project.Aug 21 2014, 11:39 AM
werner removed a project: Restricted Project.