From 1cd710fbb93564e529fd961483e7609a8a3738f0 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 5 Mar 2017 02:21:30 +0000 Subject: Enforce the max packet length for OpenPGP subpackets as well This addresses: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392 Signed-off-by: Alex Gaynor --- lib/opencdk/read-packet.c | 9 +++++++-- tests/cert-tests/data/openpgp-invalid9.pub | Bin 0 -> 16 bytes tests/cert-tests/openpgp-cert-parser | 3 ++- 3 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 tests/cert-tests/data/openpgp-invalid9.pub diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c index e7a1ceaac8..f86659a023 100644 --- a/lib/opencdk/read-packet.c +++ b/lib/opencdk/read-packet.c @@ -570,6 +570,9 @@ read_user_id(cdk_stream_t inp, size_t pktlen, cdk_pkt_userid_t user_id) } +#define MAX_PACKET_LEN (1<<24) + + static cdk_error_t read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes) { @@ -609,6 +612,10 @@ read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes) else return CDK_Inv_Packet; + if (size >= MAX_PACKET_LEN) { + return CDK_Inv_Packet; + } + node = cdk_subpkt_new(size); if (!node) return CDK_Out_Of_Core; @@ -951,8 +958,6 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen) return 0; } -#define MAX_PACKET_LEN (1<<24) - /** * cdk_pkt_read: * @inp: the input stream diff --git a/tests/cert-tests/data/openpgp-invalid9.pub b/tests/cert-tests/data/openpgp-invalid9.pub new file mode 100644 index 0000000000..5fbab2a0b5 Binary files /dev/null and b/tests/cert-tests/data/openpgp-invalid9.pub differ diff --git a/tests/cert-tests/openpgp-cert-parser b/tests/cert-tests/openpgp-cert-parser index 7f22271077..4ac5a6f946 100755 --- a/tests/cert-tests/openpgp-cert-parser +++ b/tests/cert-tests/openpgp-cert-parser @@ -42,7 +42,8 @@ echo "Checking OpenPGP certificate parsing" for i in "truncated.pub" "attribute-leak-1.pub" "subpkt-leak.pub" "openpgp-invalid1.pub" \ "openpgp-invalid2.pub" "openpgp-invalid3.pub" "openpgp-invalid4.pub" "openpgp-invalid5.pub" \ - "openpgp-invalid6.pub" "openpgp-invalid7.pub" "openpgp-invalid8.pub";do + "openpgp-invalid6.pub" "openpgp-invalid7.pub" "openpgp-invalid8.pub" \ + "openpgp-invalid9.pub";do ${VALGRIND} "${CERTTOOL}" --inraw --pgp-certificate-info --infile "${srcdir}/data/${i}" rc=$? if test $rc != 1;then -- cgit v1.2.1