gpg: Fix uninitialized access to search descindex with gpg keyboxes.

* kbx/keybox-search.c (keybox_search): Add arg  R_DESCINDEX.  Chnage
both callers.
* g10/keydb.c (keydb_search): Always set DESCINDEX.
--

This only affects the new keybox for OpenPGP keys in 2.1.  The bug
exhibited itself by running GPA's backup command on Windows.

4 files changed, 15 insertions, 6 deletions

diff --git a/g10/keydb.c b/g10/keydb.c
index 9085012f7..688c24c6f 100644
--- a/g10/keydb.c
+++ b/g10/keydb.c
@@ -1319,6 +1319,9 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc,
 {
   gpg_error_t rc;
 
+  if (descindex)
+    *descindex = 0; /* Make sure it is always set on return.  */
+
   if (!hd)
     return gpg_error (GPG_ERR_INV_ARG);
 
@@ -1333,6 +1336,7 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc,
       && keyblock_cache.kid[0] == desc[0].u.kid[0]
       && keyblock_cache.kid[1] == desc[0].u.kid[1])
     {
+      /* (DESCINDEX is already set).  */
       if (DBG_CLOCK)
         log_clock ("keydb_search leave (cached)");
       return 0;
@@ -1352,7 +1356,8 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc,
                                ndesc, descindex);
           break;
         case KEYDB_RESOURCE_TYPE_KEYBOX:
-          rc = keybox_search (hd->active[hd->current].u.kb, desc, ndesc);
+          rc = keybox_search (hd->active[hd->current].u.kb, desc,
+                              ndesc, descindex);
           break;
         }
       if (rc == -1 || gpg_err_code (rc) == GPG_ERR_EOF)
diff --git a/kbx/keybox-search.c b/kbx/keybox-search.c
index 798079488..ba284f9b5 100644
--- a/kbx/keybox-search.c
+++ b/kbx/keybox-search.c
@@ -720,7 +720,8 @@ keybox_search_reset (KEYBOX_HANDLE hd)
 /* Note: When in ephemeral mode the search function does visit all
    blobs but in standard mode, blobs flagged as ephemeral are ignored.  */
 int
-keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc)
+keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc,
+               size_t *r_descindex)
 {
   int rc;
   size_t n;
@@ -945,6 +946,10 @@ keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc)
 	}
       continue;
     found:
+      /* Record which DESC we matched on.  Note this value is only
+	 meaningful if this function returns with no errors. */
+      if(r_descindex)
+	*r_descindex = n;
       for (n=any_skip?0:ndesc; n < ndesc; n++)
         {
 /*            if (desc[n].skipfnc */
diff --git a/kbx/keybox.h b/kbx/keybox.h
index 5b2943747..4c447a577 100644
--- a/kbx/keybox.h
+++ b/kbx/keybox.h
@@ -83,7 +83,8 @@ int keybox_get_cert (KEYBOX_HANDLE hd, ksba_cert_t *ret_cert);
 int keybox_get_flags (KEYBOX_HANDLE hd, int what, int idx, unsigned int *value);
 
 int keybox_search_reset (KEYBOX_HANDLE hd);
-int keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc);
+int keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc,
+                   size_t *r_descindex);
 
 
 /*-- keybox-update.c --*/
@@ -109,8 +110,6 @@ int keybox_compress (KEYBOX_HANDLE hd);
 
 #if 0
 int keybox_locate_writable (KEYBOX_HANDLE hd);
-int keybox_search_reset (KEYBOX_HANDLE hd);
-int keybox_search (KEYBOX_HANDLE hd, KEYDB_SEARCH_DESC *desc, size_t ndesc);
 int keybox_rebuild_cache (void *);
 #endif
 
diff --git a/sm/keydb.c b/sm/keydb.c
index de9c95cb5..845ebba88 100644
--- a/sm/keydb.c
+++ b/sm/keydb.c
@@ -798,7 +798,7 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc, size_t ndesc)
           BUG(); /* we should never see it here */
           break;
         case KEYDB_RESOURCE_TYPE_KEYBOX:
-          rc = keybox_search (hd->active[hd->current].u.kr, desc, ndesc);
+          rc = keybox_search (hd->active[hd->current].u.kr, desc, ndesc, NULL);
           break;
         }
       if (rc == -1) /* EOF -> switch to next resource */