[Pkg-gnupg-maint] Bug#773507: Bug#773507: explicit buffer overrun

NIIBE Yutaka gniibe at fsij.org
Wed Jan 7 05:54:34 UTC 2015


Hello,

Thanks for your reviewing and reporting.  This message is Cc-ed to
gnupg-devel.

On 12/19/2014 07:24 PM, Joshua Rogers wrote:
> Package: gnupg2
> Version: 2.1.1
> Severity: normal
> 
> in dirmngr/ldap.c on line 617, argv may be overflowed.
> 
> 617: argv[argc++] = url;
> 
> a check is made on line 591 that checks to see whether argv is less than or email to 399, and if it does, exit.
> But argv is char *argv[50], while argc is a normal int.
> If argc is 398, it will pass that check.

Right.

Here's my fix.  I'm going to apply this change since it's obvious
simple fix and there will be no conflict.

diff --git a/dirmngr/ldap.c b/dirmngr/ldap.c
index 478fdfd..00df167 100644
--- a/dirmngr/ldap.c
+++ b/dirmngr/ldap.c
@@ -588,7 +588,7 @@ start_cert_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *context,
       strlist_t sl;
       char *url;

-      if (argc >= sizeof argv -1)
+      if (argc >= DIM (argv) - 1)
         {
           /* Too many patterns.  It does not make sense to allow an
              arbitrary number of patters because the length of the
-- 



More information about the Pkg-gnupg-maint mailing list