Unsigned underflow in parse-packet::parse_key()
Open, LowPublic

Description

Fix unsigned underflow for short public key packets in legacy code.

This example show gpg misparsing the EOF (-1 = 255) as version field:

$ printf '\xc6\x00' | gpg2 --list-packet
gpg: packet(6) with unknown version 255
# off=0 ctb=c6 tag=6 hlen=2 plen=0 new-ctb
:key packet: [unknown version]

Possible fix:

diff --git a/g10/parse-packet.c b/g10/parse-packet.c
index e3ff4321e..ed9accc1f 100644
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@@ -2237,6 +2237,8 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen,
 
   pk = pkt->pkt.public_key; /* PK has been cleared. */
 
+  if (!pktlen)
+    return GPG_ERR_INV_PACKET;
   version = iobuf_get_noeof (inp);
   pktlen--;
   if (pkttype == PKT_PUBLIC_SUBKEY && version == '#')
marcus created this task.Mar 23 2018, 10:21 PM
werner triaged this task as Low priority.Mar 24 2018, 12:21 PM