gpg: Prevent an invalid memory read using a garbled keyring.
authorWerner Koch <wk@gnupg.org>
Sun, 22 Feb 2015 04:10:30 +0000 (23:10 -0500)
committerWerner Koch <wk@gnupg.org>
Mon, 23 Feb 2015 09:46:07 +0000 (10:46 +0100)
commit81d3e541326e94d26a953aa70afc3cb149d11ebe
tree1097a2458efcd3308789b8e0c75bf2b096b4eaea
parent68f260f77a9e4f5cacf0a58e4f55ddee125d3f00
gpg: Prevent an invalid memory read using a garbled keyring.

* g10/keyring.c (keyring_get_keyblock): Whitelist allowed packet
types.
--

The keyring DB code did not reject packets which don't belong into a
keyring.  If for example the keyblock contains a literal data packet
it is expected that the processing code stops at the data packet and
reads from the input stream which is referenced from the data packets.
Obviously the keyring processing code does not and cannot do that.
However, when exporting this messes up the IOBUF and leads to an
invalid read of sizeof (int).

We now skip all packets which are not allowed in a keyring.

Reported-by: Hanno Böck <hanno@hboeck.de>
(back ported from commit f0f71a721ccd7ab9e40b8b6b028b59632c0cc648)

[dkg: rebased to STABLE-BRANCH-1-4]
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
g10/keyring.c