security/gnupg/patches/patch-ba


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

$NetBSD: patch-ba,v 1.1.2.2 2006/06/25 08:58:14 snj Exp $

Security fix for CVE-2006-3082, from GnuPG CVS repository.

--- g10/parse-packet.c.orig	2005-12-06 14:22:19.000000000 +0100
+++ g10/parse-packet.c	2006-06-24 16:09:34.000000000 +0200
@@ -1972,6 +1972,20 @@
 {
     byte *p;
 
+    /* Cap the size of a user ID at 2k: a value absurdly large enough
+       that there is no sane user ID string (which is printable text
+       as of RFC2440bis) that won't fit in it, but yet small enough to
+       avoid allocation problems.  A large pktlen may not be
+       allocatable, and a very large pktlen could actually cause our
+       allocation to wrap around in xmalloc to a small number. */
+
+    if(pktlen>2048)
+      {
+	log_error("packet(%d) too large\n", pkttype);
+	iobuf_skip_rest(inp, pktlen, 0);
+	return G10ERR_INVALID_PACKET;
+      }
+
     packet->pkt.user_id = xmalloc_clear(sizeof *packet->pkt.user_id + pktlen);
     packet->pkt.user_id->len = pktlen;
     packet->pkt.user_id->ref=1;