Improve subpacket parsing robustness

Although we checked on each round of subpackets that we were still
within the correct length, we weren't checking the subpacket length
itself fit within the remaining data. Fixes some issues found using
American Fuzzy Lop.

diff --git a/decodekey.c b/decodekey.c
index 522ad901383dd6a217b0ef5ed2320a93e3d51f8b..be80151d2822c31ddef27de3dfe6cfbfc1d42368 100644 (file)
--- a/decodekey.c
+++ b/decodekey.c
@@ -82,6 +82,10 @@ onak_status_t parse_subpackets(unsigned char *data, size_t len,
                        packetlen <<= 8;
                        packetlen |= data[offset++];
                }
+               /* Check the supplied length is within the remaining data */
+               if (packetlen == 0 || (packetlen + offset) > length) {
+                       return ONAK_E_INVALID_PKT;
+               }
                switch (data[offset] & 0x7F) {
                case OPENPGP_SIGSUB_CREATION:
                        /*