| Message ID | 20200520042217.1038873-1-allan@archlinux.org |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | [pacman-dev] libalpm/signing.c: Fix calculation of packet size in parse_subpacket | expand |
On 05/20/20 at 02:22pm, Allan McRae wrote: > Given RFC 4880 provides the code to do this calculation, I am not sure > how I managed to stuff that up! This bug was only exposed when a > signature made with "include-key-block" was added to the Arch repos, > which provided a subpacket with the required size to hit this issue. LGTM. Though, it might be worth it to use + instead of | just so we match 4880 and extract_keyid exactly. > Signed-off-by: Allan McRae <allan@archlinux.org> > --- > > Also appropriate for 5.2.2 > > lib/libalpm/signing.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c > index c8eaaca2..422523b6 100644 > --- a/lib/libalpm/signing.c > +++ b/lib/libalpm/signing.c > @@ -1058,7 +1058,7 @@ static int parse_subpacket(alpm_handle_t *handle, const char *identifier, > if(length_check(len, spos, 2, handle, identifier) != 0){ > return -1; > } > - slen = (sig[spos] << 8) | sig[spos + 1]; > + slen = (((sig[spos] - 192) << 8) | sig[spos + 1]) + 192; > spos = spos + 2; > } else { > if(length_check(len, spos, 5, handle, identifier) != 0) { > -- > 2.26.2
On 1/6/20 5:51 am, Andrew Gregory wrote: > On 05/20/20 at 02:22pm, Allan McRae wrote: >> Given RFC 4880 provides the code to do this calculation, I am not sure >> how I managed to stuff that up! This bug was only exposed when a >> signature made with "include-key-block" was added to the Arch repos, >> which provided a subpacket with the required size to hit this issue. > > LGTM. Though, it might be worth it to use + instead of | just so we > match 4880 and extract_keyid exactly. > Done.
diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c index c8eaaca2..422523b6 100644 --- a/lib/libalpm/signing.c +++ b/lib/libalpm/signing.c @@ -1058,7 +1058,7 @@ static int parse_subpacket(alpm_handle_t *handle, const char *identifier, if(length_check(len, spos, 2, handle, identifier) != 0){ return -1; } - slen = (sig[spos] << 8) | sig[spos + 1]; + slen = (((sig[spos] - 192) << 8) | sig[spos + 1]) + 192; spos = spos + 2; } else { if(length_check(len, spos, 5, handle, identifier) != 0) {
Given RFC 4880 provides the code to do this calculation, I am not sure how I managed to stuff that up! This bug was only exposed when a signature made with "include-key-block" was added to the Arch repos, which provided a subpacket with the required size to hit this issue. Signed-off-by: Allan McRae <allan@archlinux.org> --- Also appropriate for 5.2.2 lib/libalpm/signing.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)