From 4e785b6122f020d1ce1a31af8001316162051183 Mon Sep 17 00:00:00 2001 From: Jonathan McDowell Date: Tue, 23 Aug 2016 09:27:30 +0100 Subject: [PATCH] Improve subpacket parsing robustness Although we checked on each round of subpackets that we were still within the correct length, we weren't checking the subpacket length itself fit within the remaining data. Fixes some issues found using American Fuzzy Lop. --- decodekey.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/decodekey.c b/decodekey.c index 522ad90..be80151 100644 --- a/decodekey.c +++ b/decodekey.c @@ -82,6 +82,10 @@ onak_status_t parse_subpackets(unsigned char *data, size_t len, packetlen <<= 8; packetlen |= data[offset++]; } + /* Check the supplied length is within the remaining data */ + if (packetlen == 0 || (packetlen + offset) > length) { + return ONAK_E_INVALID_PKT; + } switch (data[offset] & 0x7F) { case OPENPGP_SIGSUB_CREATION: /* -- 2.39.2