Re: fixing a corrup keyring

Thu, 21 Apr 2005 06:21:21 -0700 

On Tue, 19 Apr 2005 10:55:07 +0200, folkert  said:

> Hi,
> I have a keyring with quiet a few keys (thousands) and now something
> is wrong with it:
> gpg --list-keys gives
> gpg: Ohhhh jeeee: mpi crosses packet border

It is unfurtune that gpg bails out immediately in this caase.  In fact
it is not a bug (this is what the "Ohhh jeeee" shall indicate) but
currupt input data.  I have not created a test case yet but changed
the code to fail mopre gracefully.  This won't help too much I fear
but it is a first step to a recovery mode.

Please apply the attached patch against 1.4.1 or CVS.


Salam-Shalom,

   Werner


2005-04-21  Werner Koch  <[EMAIL PROTECTED]>

        * mpicoder.c (mpi_read): Changed error detection to always return
        an error while maintaining the actual number of bytes read.


--- mpi/mpicoder.c      20 Dec 2004 10:05:20 -0000      1.33
+++ mpi/mpicoder.c      21 Apr 2005 13:21:15 -0000
@@ -1,5 +1,5 @@
 /* mpicoder.c  -  Coder for the external representation of MPIs
- * Copyright (C) 1998, 1999 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2005 Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
  *
@@ -74,20 +74,23 @@ mpi_read(IOBUF inp, unsigned *ret_nread,
 #endif
 {
     int c, i, j;
+    unsigned int nmax = *ret_nread;
     unsigned nbits, nbytes, nlimbs, nread=0;
     mpi_limb_t a;
     MPI val = MPI_NULL;
 
     if( (c = iobuf_get(inp)) == -1 )
        goto leave;
-    nread++;
+    if (++nread >= nmax)
+        goto overflow;
     nbits = c << 8;
     if( (c = iobuf_get(inp)) == -1 )
        goto leave;
-    nread++;
+    if (++nread >= nmax)
+        goto overflow;
     nbits |= c;
     if( nbits > MAX_EXTERN_MPI_BITS ) {
-       log_error("mpi too large (%u bits)\n", nbits);
+       log_error("mpi too large for this implementation (%u bits)\n", nbits);
        goto leave;
     }
 
@@ -108,6 +111,15 @@ mpi_read(IOBUF inp, unsigned *ret_nread,
     for( ; j > 0; j-- ) {
        a = 0;
        for(; i < BYTES_PER_MPI_LIMB; i++ ) {
+            if (nread >= nmax) {
+#ifdef M_DEBUG
+                mpi_debug_free (val);
+#else
+                mpi_free (val);
+#endif
+                val = NULL;
+                goto overflow;
+            }
            a <<= 8;
            a |= iobuf_get(inp) & 0xff; nread++;
        }
@@ -116,10 +128,11 @@ mpi_read(IOBUF inp, unsigned *ret_nread,
     }
 
   leave:
-    if( nread > *ret_nread )
-       log_bug("mpi crosses packet border\n");
-    else
-       *ret_nread = nread;
+    *ret_nread = nread;
+    return val;
+  overflow:
+    log_error ("mpi larger than indicated length (%u bytes)\n", nmax);
+    *ret_nread = nread;
     return val;
 }
 

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to