diff options
author | Demi Marie Obenour <demi@invisiblethingslab.com> | 2022-03-01 13:23:21 -0500 |
---|---|---|
committer | Panu Matilainen <pmatilai@redhat.com> | 2022-03-21 13:55:24 +0200 |
commit | 31c41707d74e465b0a776df8938ee7f903dd08c9 (patch) | |
tree | 3c2cae33eb7b5c4189c06937a6f0a14f5bff0a69 /rpmio/rpmpgp.c | |
parent | 40571a74cf820a7cb91952e99a666a4ac5dea592 (diff) | |
download | rpm-31c41707d74e465b0a776df8938ee7f903dd08c9.tar.gz |
Reject OpenPGP data at or over 64KiB
Such data is probably an attempt to exploit RPM, not do anything useful.
This avoids a whole class of silly integer overflow problems.
Signatures in packages are already limited to less than 64MiB by the
maximum size of the signature header, and this is already a sufficient
limitation.
Diffstat (limited to 'rpmio/rpmpgp.c')
-rw-r--r-- | rpmio/rpmpgp.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c index 02009000e..59c80d7c4 100644 --- a/rpmio/rpmpgp.c +++ b/rpmio/rpmpgp.c @@ -1104,6 +1104,8 @@ static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig, return rc; } +static const size_t RPM_MAX_OPENPGP_BYTES = 65535; /* max number of bytes in a key */ + int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype, pgpDigParams * ret) { @@ -1113,11 +1115,14 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype, pgpDigParams selfsig = NULL; int i = 0; int alloced = 16; /* plenty for normal cases */ - struct pgpPkt *all = xmalloc(alloced * sizeof(*all)); int rc = -1; /* assume failure */ int expect = 0; int prevtag = 0; + if (pktlen > RPM_MAX_OPENPGP_BYTES) + return rc; /* reject absurdly large data */ + + struct pgpPkt *all = xmalloc(alloced * sizeof(*all)); while (p < pend) { struct pgpPkt *pkt = &all[i]; if (decodePkt(p, (pend - p), pkt)) |