Andreas Stieger
f26c508bf1
fix buffer overflow in OID to string conversion function [boo#907198] OBS-URL: https://build.opensuse.org/request/show/263168 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=84
78 lines
2.3 KiB
Diff
78 lines
2.3 KiB
Diff
From: Werner Koch <wk@gnupg.org>
|
|
Date: Tue, 25 Nov 2014 11:58:56 +0100
|
|
Subject: [PATCH] Fix buffer overflow in openpgp_oid_to_str.
|
|
References: boo#907198 http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8445ef24fc31e1fe0291e17f90f9f06b536e34da
|
|
Upstream: committed
|
|
|
|
* common/openpgp-oid.c (openpgp_oid_to_str): Fix unsigned underflow.
|
|
|
|
* common/t-openpgp-oid.c (BADOID): New.
|
|
(test_openpgp_oid_to_str): Add test cases.
|
|
--
|
|
|
|
The code has an obvious error by not considering invalid encoding for
|
|
arc-2. A first byte of 0x80 can be used to make a value of less then
|
|
80 and we then subtract 80 from that value as required by the OID
|
|
encoding rules. Due to the unsigned integer this results in a pretty
|
|
long value which won't fit anymore into the allocated buffer.
|
|
|
|
The fix is obvious. Also added a few simple test cases. Note that we
|
|
keep on using sprintf instead of snprintf because managing the
|
|
remaining length of the buffer would probably be more error prone than
|
|
assuring that the buffer is large enough. Getting rid of sprintf
|
|
altogether by using direct conversion along with membuf_t like code
|
|
might be possible.
|
|
|
|
Reported-by: Hanno Böck
|
|
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
|
|
Ported from libksba commit f715b9e156dfa99ae829fc694e5a0abd23ef97d7
|
|
---
|
|
common/openpgp-oid.c | 2 ++
|
|
common/t-openpgp-oid.c | 9 +++++++++
|
|
2 files changed, 11 insertions(+)
|
|
|
|
diff --git a/common/openpgp-oid.c b/common/openpgp-oid.c
|
|
index 010c23f..d3d1f2a 100644
|
|
--- a/common/openpgp-oid.c
|
|
+++ b/common/openpgp-oid.c
|
|
@@ -236,6 +236,8 @@ openpgp_oid_to_str (gcry_mpi_t a)
|
|
val <<= 7;
|
|
val |= buf[n] & 0x7f;
|
|
}
|
|
+ if (val < 80)
|
|
+ goto badoid;
|
|
val -= 80;
|
|
sprintf (p, "2.%lu", val);
|
|
p += strlen (p);
|
|
diff --git a/common/t-openpgp-oid.c b/common/t-openpgp-oid.c
|
|
index 79e5a70..5cd778d 100644
|
|
--- a/common/t-openpgp-oid.c
|
|
+++ b/common/t-openpgp-oid.c
|
|
@@ -32,6 +32,9 @@
|
|
} while(0)
|
|
|
|
|
|
+#define BADOID "1.3.6.1.4.1.11591.2.12242973"
|
|
+
|
|
+
|
|
static void
|
|
test_openpgp_oid_from_str (void)
|
|
{
|
|
@@ -108,6 +111,12 @@ test_openpgp_oid_to_str (void)
|
|
{ "1.3.132.0.35",
|
|
{ 5, 0x2B, 0x81, 0x04, 0x00, 0x23 }},
|
|
|
|
+ { BADOID,
|
|
+ { 9, 0x80, 0x02, 0x70, 0x50, 0x25, 0x46, 0xfd, 0x0c, 0xc0 }},
|
|
+
|
|
+ { BADOID,
|
|
+ { 1, 0x80 }},
|
|
+
|
|
{ NULL }};
|
|
gcry_mpi_t a;
|
|
int idx;
|
|
--
|
|
1.7.10.4
|
|
|