RPM Package Manager, CVS Repository
http://rpm5.org/cvs/
____________________________________________________________________________
Server: rpm5.org Name: Jeff Johnson
Root: /v/rpm/cvs Email: j...@rpm5.org
Module: rpm Date: 03-Apr-2016 22:43:05
Branch: rpm-5_4 Handle: 2016040320430500
Modified files: (Branch: rpm-5_4)
rpm/lib rpmchecksig.c
Log:
- check pgpPktLen and rpmhkpLoad* return codes.
Summary:
Revision Changes Path
1.240.2.16 +21 -14 rpm/lib/rpmchecksig.c
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: rpm/lib/rpmchecksig.c
============================================================================
$ cvs diff -u -r1.240.2.15 -r1.240.2.16 rpmchecksig.c
--- rpm/lib/rpmchecksig.c 19 Feb 2015 22:05:53 -0000 1.240.2.15
+++ rpm/lib/rpmchecksig.c 3 Apr 2016 20:43:05 -0000 1.240.2.16
@@ -161,18 +161,18 @@
/*@modifies *signid, fileSystem, internalState @*/
{
HE_t he = (HE_t) memset(alloca(sizeof(*he)), 0, sizeof(*he));
- int rc = 1;
+ int rc = 1; /* assume failure */
int xx;
he->tag = (rpmTag) sigtag;
xx = headerGet(sigh, he, 0);
if (xx && he->p.ptr != NULL) {
pgpDig dig = pgpDigNew(RPMVSF_DEFAULT, PGPPUBKEYALGO_UNKNOWN);
-
/* XXX expose ppSignid() from rpmhkp.c? */
pgpPkt pp = (pgpPkt) alloca(sizeof(*pp));
- (void) pgpPktLen(he->p.ui8p, he->c, pp);
- if (!rpmhkpLoadSignature(NULL, dig, pp)) {
+ if (pgpPktLen(he->p.ui8p, he->c, pp) > 0
+ && !rpmhkpLoadSignature(NULL, dig, pp))
+ {
memcpy(signid, dig->signature.signid,
sizeof(dig->signature.signid));
rc = 0;
}
@@ -566,9 +566,9 @@
(void) pgpPubkeyFingerprint(hkp->pkt, hkp->pktlen, hkp->keyid);
memcpy(pubp->signid, hkp->keyid, sizeof(pubp->signid)); /* XXX useless */
- xx = pgpPktLen(hkp->pkt, hkp->pktlen, pp);
-
- xx = rpmhkpLoadKey(hkp, dig, 0, 0);
+ if (pgpPktLen(hkp->pkt, hkp->pktlen, pp) < 0
+ || rpmhkpLoadKey(hkp, dig, 0, 0))
+ goto exit;
/* Validate pubkey self-signatures. */
if (validate) {
@@ -592,8 +592,10 @@
/* XXX hack up a user id (if not already present) */
if (pubp->userid == NULL) {
if (hkp->uidx >= 0 && hkp->uidx < hkp->npkts) {
- size_t nb = pgpPktLen(hkp->pkts[hkp->uidx], hkp->pktlen, pp);
+ size_t nb;
char * t;
+ if (pgpPktLen(hkp->pkts[hkp->uidx], hkp->pktlen, pp) < 0)
+ goto exit;
nb = pp->hlen;
t = (char *) memcpy(xmalloc(nb + 1), pp->u.u->userid, nb);
t[nb] = '\0';
@@ -1149,9 +1151,13 @@
case RPMSIGTAG_RSA:
case RPMSIGTAG_ECDSA:
he->tag = she->tag;
- xx = headerGet(sigh, he, 0);
- xx = pgpPktLen(he->p.ui8p, he->c, pp);
- xx = rpmhkpLoadSignature(NULL, dig, pp);
+ if (!headerGet(sigh, he, 0)
+ || pgpPktLen(he->p.ui8p, he->c, pp) < 0
+ || rpmhkpLoadSignature(NULL, dig, pp))
+ {
+ he->p.ptr = _free(he->p.ptr);
+ goto exit;
+ }
he->p.ptr = _free(he->p.ptr);
break;
}
@@ -1201,9 +1207,10 @@
if (nosignatures)
continue;
- xx = pgpPktLen(she->p.ui8p, she->c, pp);
- xx = rpmhkpLoadSignature(NULL, dig, pp);
- if (sigp->version != 3 && sigp->version != 4) {
+ if (pgpPktLen(she->p.ui8p, she->c, pp) < 0
+ || rpmhkpLoadSignature(NULL, dig, pp)
+ || (sigp->version != 3 && sigp->version != 4))
+ {
rpmlog(RPMLOG_ERR,
_("skipping package %s with unverifiable V%u signature\n"),
fn, sigp->version);
@@ .
______________________________________________________________________
RPM Package Manager http://rpm5.org
CVS Sources Repository rpm-cvs@rpm5.org
