blob: 2027b44108c558b8d140df38fb02b1c211ad9366 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
$NetBSD: patch-ba,v 1.1 2006/06/24 14:20:29 salo Exp $
Security fix for CVE-2006-3082, from GnuPG CVS repository.
--- g10/parse-packet.c.orig 2005-12-06 14:22:19.000000000 +0100
+++ g10/parse-packet.c 2006-06-24 16:09:34.000000000 +0200
@@ -1972,6 +1972,20 @@
{
byte *p;
+ /* Cap the size of a user ID at 2k: a value absurdly large enough
+ that there is no sane user ID string (which is printable text
+ as of RFC2440bis) that won't fit in it, but yet small enough to
+ avoid allocation problems. A large pktlen may not be
+ allocatable, and a very large pktlen could actually cause our
+ allocation to wrap around in xmalloc to a small number. */
+
+ if(pktlen>2048)
+ {
+ log_error("packet(%d) too large\n", pkttype);
+ iobuf_skip_rest(inp, pktlen, 0);
+ return G10ERR_INVALID_PACKET;
+ }
+
packet->pkt.user_id = xmalloc_clear(sizeof *packet->pkt.user_id + pktlen);
packet->pkt.user_id->len = pktlen;
packet->pkt.user_id->ref=1;
|