Integer overflow causes heap overflow in parse_symkeyenc() in file g10/parse-packet.c
Closed, ResolvedPublic

Description

Hi,
I found a bug in the decryption routine of gpg with the help of afl and asan. It arises from line 1145 through which it is possible to decrement the pktlen variable five times even if it only has the value of 4. Since it is and unsigned long int this leads to undefined behaviour later on in the code. The risk of exploitation is mitigated by the assertion on line 1209. Nevertheless it is still serious enough to warrant fixing. A possible fix would be to increase the minimum length of pktlen to 5 on line 1110.
cheers
jfe

jfe created this task.Feb 6 2018, 1:09 PM
jfe updated the task description. (Show Details)Feb 6 2018, 1:12 PM
werner closed this task as Resolved.Feb 6 2018, 5:47 PM
werner claimed this task.
werner added a subscriber: werner.

Thanks for testing. I recall that I wanted to update the checking but a phonecall disturbed my hacking sequence; should have used DND.

jfe added a comment.Feb 6 2018, 6:25 PM

Great, thanks for the quick response!