Page MenuHome GnuPG

Heap-use-after-free from commit 01c87d4c
Closed, ResolvedPublic


Found by oss-fuzz

Commit 01c87d4ce23bc9fc44ec5301c2c6bf2ce615c375 introduced a user-after-free

free_packet (pkt, NULL); is called before pt->namelen and other fields from this structure are accessed
And pt = pkt->pkt.plaintext got freed in free_packet

Bug can be triggered simply by a call to gpg --verify on a file with a single 0xaf byte

Patch is simply to displace a few lines down the call to free_packet

diff --git a/g10/mainproc.c b/g10/mainproc.c
index 6fa30e0d4..5717f1cab 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -946,7 +946,6 @@ proc_plaintext( CTX c, PACKET *pkt )
   if (rc)
     log_error ("handle plaintext failed: %s\n", gpg_strerror (rc));
-  free_packet (pkt, NULL);
   c->last_was_session_key = 0;
   /* We add a marker control packet instead of the plaintext packet.
@@ -973,6 +972,7 @@ proc_plaintext( CTX c, PACKET *pkt )
       extrahash[extrahashlen++] = pt->timestamp >>  8;
       extrahash[extrahashlen++] = pt->timestamp      ;
+  free_packet (pkt, NULL);
   n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK,
                                       extrahash, extrahashlen));

Revisions and Commits