gpg: Fix a NULL-deref due to empty ring trust packets.
authorWerner Koch <wk@gnupg.org>
Sun, 22 Feb 2015 04:10:28 +0000 (23:10 -0500)
committerWerner Koch <wk@gnupg.org>
Mon, 23 Feb 2015 09:45:08 +0000 (10:45 +0100)
* g10/parse-packet.c (parse_trust): Always allocate a packet.
--

Reported-by: Hanno Böck <hanno@hboeck.de>
Signed-off-by: Werner Koch <wk@gnupg.org>
(back ported from commit 39978487863066e59bb657f5fe4e8baab510da7e)

[dkg: rebased to STABLE-BRANCH-1-4]
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
g10/parse-packet.c

index c0b6ad6..e7e923b 100644 (file)
@@ -2245,11 +2245,13 @@ parse_trust( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *pkt )
 {
   int c;
 
+  (void)pkttype;
+
+  pkt->pkt.ring_trust = xmalloc( sizeof *pkt->pkt.ring_trust );
   if (pktlen)
     {
       c = iobuf_get_noeof(inp);
       pktlen--;
-      pkt->pkt.ring_trust = xmalloc( sizeof *pkt->pkt.ring_trust );
       pkt->pkt.ring_trust->trustval = c;
       pkt->pkt.ring_trust->sigcache = 0;
       if (!c && pktlen==1)
@@ -2267,8 +2269,10 @@ parse_trust( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *pkt )
     }
   else
     {
-      if( list_mode )
-       fprintf (listfp, ":trust packet: empty\n");
+      pkt->pkt.ring_trust->trustval = 0;
+      pkt->pkt.ring_trust->sigcache = 0;
+      if (list_mode)
+        fprintf (listfp, ":trust packet: empty\n");
     }
   iobuf_skip_rest (inp, pktlen, 0);
 }