From: Jonathan McDowell Date: Tue, 23 Aug 2016 08:27:30 +0000 (+0100) Subject: Improve subpacket parsing robustness X-Git-Tag: onak-0.5.0~2 X-Git-Url: https://the.earth.li/gitweb/?a=commitdiff_plain;h=4e785b6122f020d1ce1a31af8001316162051183;p=onak.git Improve subpacket parsing robustness Although we checked on each round of subpackets that we were still within the correct length, we weren't checking the subpacket length itself fit within the remaining data. Fixes some issues found using American Fuzzy Lop. --- diff --git a/decodekey.c b/decodekey.c index 522ad90..be80151 100644 --- a/decodekey.c +++ b/decodekey.c @@ -82,6 +82,10 @@ onak_status_t parse_subpackets(unsigned char *data, size_t len, packetlen <<= 8; packetlen |= data[offset++]; } + /* Check the supplied length is within the remaining data */ + if (packetlen == 0 || (packetlen + offset) > length) { + return ONAK_E_INVALID_PKT; + } switch (data[offset] & 0x7F) { case OPENPGP_SIGSUB_CREATION: /*