gpg: Fix possible read of unallocated memory
d2b0e613131dUnpublished
Actions

Unpublished Commit · Learn More

Not On Permanent Ref: This commit is not an ancestor of any permanent ref.

Description

gpg: Fix possible read of unallocated memory

* g10/parse-packet.c (can_handle_critical): Check content length
before calling can_handle_critical_notation.

The problem was found by Jan Bee and gniibe proposed the used fix.
Thanks.

This bug can't be exploited: Only if the announced length of the
notation is 21 or 32 a memcmp against fixed strings using that length
would be done. The compared data is followed by the actual signature
and thus it is highly likely that not even read of unallocated memory
will happen. Nevertheless such a bug needs to be fixed.

Signed-off-by: Werner Koch <wk@gnupg.org>

Details

Provenance

• werner	Authored on Dec 12 2014, 10:41 AM
• gniibe	Committed on Jan 13 2015, 2:44 AM

Parents

rGd92fe965f329: scd: Fix possibly inhibited checkpin of the admin pin.

Branches

Unknown

Tags

Unknown

Event Timeline

NIIBE Yutaka <gniibe@fsij.org> committed rGd2b0e613131d: gpg: Fix possible read of unallocated memory (authored by Werner Koch <wk@gnupg.org>).Jan 13 2015, 2:44 AM

Changes (1)

Path

Size

g10/

parse-packet.c

rGd2b0e613131d

View Options

gpg: Fix possible read of unallocated memoryd2b0e613131dUnpublishedActions