diff options
| author | Werner Koch <wk@gnupg.org> | 2015-02-11 10:27:57 +0100 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2015-02-11 10:28:25 +0100 |
| commit | 2183683bd633818dd031b090b5530951de76f392 (patch) | |
| tree | af283f4f329a140b76df6f7e83dce7ebb07aabb8 /kbx/keybox-update.c | |
| parent | gpg: Prevent an invalid memory read using a garbled keyring. (diff) | |
| download | gnupg2-2183683bd633818dd031b090b5530951de76f392.tar.xz gnupg2-2183683bd633818dd031b090b5530951de76f392.zip | |
Use inline functions to convert buffer data to scalars.
* common/host2net.h (buf16_to_ulong, buf16_to_uint): New.
(buf16_to_ushort, buf16_to_u16): New.
(buf32_to_size_t, buf32_to_ulong, buf32_to_uint, buf32_to_u32): New.
--
Commit 91b826a38880fd8a989318585eb502582636ddd8 was not enough to
avoid all sign extension on shift problems. Hanno Böck found a case
with an invalid read due to this problem. To fix that once and for
all almost all uses of "<< 24" and "<< 8" are changed by this patch to
use an inline function from host2net.h.
Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'kbx/keybox-update.c')
| -rw-r--r-- | kbx/keybox-update.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/kbx/keybox-update.c b/kbx/keybox-update.c index 7b207a520..4b14b2f23 100644 --- a/kbx/keybox-update.c +++ b/kbx/keybox-update.c @@ -28,6 +28,7 @@ #include "keybox-defs.h" #include "../common/sysutils.h" +#include "../common/host2net.h" #define EXTSEP_S "." @@ -734,8 +735,7 @@ keybox_compress (KEYBOX_HANDLE hd) buffer = _keybox_get_blob_image (blob, &length); if (length > 4 && buffer[4] == KEYBOX_BLOBTYPE_HEADER) { - u32 last_maint = ((buffer[20] << 24) | (buffer[20+1] << 16) - | (buffer[20+2] << 8) | (buffer[20+3])); + u32 last_maint = buf32_to_u32 (buffer+20); if ( (last_maint + 3*3600) > time (NULL) ) { @@ -811,7 +811,7 @@ keybox_compress (KEYBOX_HANDLE hd) rc = gpg_error (GPG_ERR_BUG); break; } - blobflags = ((buffer[pos] << 8) | (buffer[pos+1])); + blobflags = buf16_to_uint (buffer+pos); if ((blobflags & KEYBOX_FLAG_BLOB_EPHEMERAL)) { /* This is an ephemeral blob. */ @@ -820,8 +820,7 @@ keybox_compress (KEYBOX_HANDLE hd) || size != 4) created_at = 0; /* oops. */ else - created_at = ((buffer[pos] << 24) | (buffer[pos+1] << 16) - | (buffer[pos+2] << 8) | (buffer[pos+3])); + created_at = buf32_to_u32 (buffer+pos); if (created_at && created_at < cut_time) { |