Home GnuPG
Diffusion GnuPG 8445ef24fc31

Fix buffer overflow in openpgp_oid_to_str.
8445ef24fc31Unpublished
Actions

Unpublished Commit · Learn More

Not On Permanent Ref: This commit is not an ancestor of any permanent ref.

Description

Fix buffer overflow in openpgp_oid_to_str.

* common/openpgp-oid.c (openpgp_oid_to_str): Fix unsigned underflow.
* common/t-openpgp-oid.c (BADOID): New.
(test_openpgp_oid_to_str): Add test cases.

The code has an obvious error by not considering invalid encoding for
arc-2. A first byte of 0x80 can be used to make a value of less then
80 and we then subtract 80 from that value as required by the OID
encoding rules. Due to the unsigned integer this results in a pretty
long value which won't fit anymore into the allocated buffer.

The fix is obvious. Also added a few simple test cases. Note that we
keep on using sprintf instead of snprintf because managing the
remaining length of the buffer would probably be more error prone than
assuring that the buffer is large enough. Getting rid of sprintf
altogether by using direct conversion along with membuf_t like code
might be possible.

Ported from libksba commit f715b9e156dfa99ae829fc694e5a0abd23ef97d7

  • Reported-by: Hanno Böck
  • Signed-off-by: Werner Koch <wk@gnupg.org>

Details

Provenance
wernerAuthored on Nov 25 2014, 11:58 AM
Parents
rG28dafd4714a9: build: Require libgpg-error 1.16.
Branches
Unknown
Tags
Unknown

Event Timeline

Werner Koch <wk@gnupg.org> committed rG8445ef24fc31: Fix buffer overflow in openpgp_oid_to_str. (authored by Werner Koch <wk@gnupg.org>).Nov 25 2014, 11:58 AM

Changes (2)

PathSize
common/

rG8445ef24fc31

View Options

common/openpgp-oid.c

Loading...
View Options

common/t-openpgp-oid.c

Loading...