Diffusion GnuPG 5e3679ae395e

kbx: Fix detection of corrupted keyblocks on 32 bit systems.

Authored by werner on Feb 15 2018, 11:17 AM.

Description

kbx: Fix detection of corrupted keyblocks on 32 bit systems.

* kbx/keybox-search.c (blob_cmp_fpr): Avoid overflow in OFF+LEN
checking.
(blob_cmp_fpr_part): Ditto.
(blob_cmp_name): Ditto.
(blob_cmp_mail): Ditto.
(blob_x509_has_grip): Ditto.
(keybox_get_keyblock): Check OFF and LEN using a 64 bit var.
(keybox_get_cert): Ditto.

On most 32 bit systems size_t is 32 bit and thus the check

size_t cert_off = get32 (buffer+8);
size_t cert_len = get32 (buffer+12);
if (cert_off+cert_len > length)
  return gpg_error (GPG_ERR_TOO_SHORT);

does not work as intended for all supplied values. The simplest
solution here is to cast them to 64 bit.

In general it will be better to avoid size_t at all and work with
uint64_t. We did not do this in the past because uint64_t was not
universally available.

  • GnuPG-bug-id: T3770
  • Signed-off-by: Werner Koch <wk@gnupg.org>

Details

Committed
wernerFeb 15 2018, 11:41 AM
Parents
rGca138d5bf36a: gpg: Fix reversed messages for --only-sign-text-ids.
Branches
Unknown
Tags
Unknown
Tasks
T3770: heap buffer overflow in iobuf.c