summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Gaynor <alex.gaynor@gmail.com>2017-03-05 02:21:30 +0000
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2017-03-05 17:55:08 +0100
commitac59fb20faff9a267c05356bfc535fb279b2fbbd (patch)
tree0bb2dc7f3fc18ab49a20899992568f315bfab246
parent69bedfa254f3f5e01107e69edc96cbde00df340e (diff)
downloadgnutls-ac59fb20faff9a267c05356bfc535fb279b2fbbd.tar.gz
Enforce the max packet length for OpenPGP subpackets as well
This addresses: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>
Diffstat
-rw-r--r--lib/opencdk/read-packet.c9
-rw-r--r--tests/cert-tests/data/openpgp-invalid9.pubbin0 -> 16 bytes
-rwxr-xr-xtests/cert-tests/openpgp-cert-parser3
3 files changed, 9 insertions, 3 deletions
diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c
index 3052dbfdf1..062974fe3e 100644
--- a/lib/opencdk/read-packet.c
+++ b/lib/opencdk/read-packet.c
@@ -570,6 +570,9 @@ read_user_id(cdk_stream_t inp, size_t pktlen, cdk_pkt_userid_t user_id)
}
+#define MAX_PACKET_LEN (1<<24)
+
+
static cdk_error_t
read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes)
{
@@ -609,6 +612,10 @@ read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes)
else
return CDK_Inv_Packet;
+ if (size >= MAX_PACKET_LEN) {
+ return CDK_Inv_Packet;
+ }
+
node = cdk_subpkt_new(size);
if (!node)
return CDK_Out_Of_Core;
@@ -950,8 +957,6 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen)
return 0;
}
-#define MAX_PACKET_LEN (1<<24)
-
/**
* cdk_pkt_read:
* @inp: the input stream
diff --git a/tests/cert-tests/data/openpgp-invalid9.pub b/tests/cert-tests/data/openpgp-invalid9.pub
new file mode 100644
index 0000000000..5fbab2a0b5
--- /dev/null
+++ b/tests/cert-tests/data/openpgp-invalid9.pub
Binary files differ
diff --git a/tests/cert-tests/openpgp-cert-parser b/tests/cert-tests/openpgp-cert-parser
index 7f22271077..4ac5a6f946 100755
--- a/tests/cert-tests/openpgp-cert-parser
+++ b/tests/cert-tests/openpgp-cert-parser
@@ -42,7 +42,8 @@ echo "Checking OpenPGP certificate parsing"
for i in "truncated.pub" "attribute-leak-1.pub" "subpkt-leak.pub" "openpgp-invalid1.pub" \
"openpgp-invalid2.pub" "openpgp-invalid3.pub" "openpgp-invalid4.pub" "openpgp-invalid5.pub" \
- "openpgp-invalid6.pub" "openpgp-invalid7.pub" "openpgp-invalid8.pub";do
+ "openpgp-invalid6.pub" "openpgp-invalid7.pub" "openpgp-invalid8.pub" \
+ "openpgp-invalid9.pub";do
${VALGRIND} "${CERTTOOL}" --inraw --pgp-certificate-info --infile "${srcdir}/data/${i}"
rc=$?
if test $rc != 1;then
View Lorry Controller Status