Fix unsigned underflow for short public key packets in legacy code.
This example show gpg misparsing the EOF (-1 = 255) as version field:
$ printf '\xc6\x00' | gpg2 --list-packet gpg: packet(6) with unknown version 255 # off=0 ctb=c6 tag=6 hlen=2 plen=0 new-ctb :key packet: [unknown version]
Possible fix:
diff --git a/g10/parse-packet.c b/g10/parse-packet.c index e3ff4321e..ed9accc1f 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -2237,6 +2237,8 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, pk = pkt->pkt.public_key; /* PK has been cleared. */ + if (!pktlen) + return GPG_ERR_INV_PACKET; version = iobuf_get_noeof (inp); pktlen--; if (pkttype == PKT_PUBLIC_SUBKEY && version == '#')