gpg: Fix off-by-one read in the attribute subpacket parser.
authorWerner Koch <wk@gnupg.org>
Mon, 24 Nov 2014 18:12:37 +0000 (19:12 +0100)
committerWerner Koch <wk@gnupg.org>
Mon, 24 Nov 2014 18:27:20 +0000 (19:27 +0100)
* g10/parse-packet.c (parse_attribute_subpkts): Check that the
attribute packet is large enough for the subpacket type.
--

Reported-by: Hanno Böck
Signed-off-by: Werner Koch <wk@gnupg.org>
(backported from commit 0988764397f99db4efef1eabcdb8072d6159af76)

g10/parse-packet.c

index f1d7f71..99ff7b7 100644 (file)
@@ -2102,6 +2102,14 @@ parse_attribute_subpkts(PKT_user_id *uid)
       if( buflen < n )
        goto too_short;
 
+      if (!n)
+        {
+          /* Too short to encode the subpacket type.  */
+          if (opt.verbose)
+            log_info ("attribute subpacket too short\n");
+          break;
+        }
+
       attribs=xrealloc(attribs,(count+1)*sizeof(struct user_attribute));
       memset(&attribs[count],0,sizeof(struct user_attribute));