added check over recursive compression depth. Fixes CVE-2013-4402

git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@6880 b45a01b8-16f6-495d-af2f-9b41ad6348cc

openpgpsdk/src/openpgpsdk/packet-parse.c

@@ -53,6 +53,7 @@
 #include <openpgpsdk/final.h>
 
 static int debug=0;
+static const size_t MAX_RECURSIVE_COMPRESSION_DEPTH = 32 ;
 
 /**
  * limited_read_data reads the specified amount of the subregion's data 
@@ -1955,9 +1956,17 @@ static int parse_compressed(ops_region_t *region,ops_parse_info_t *pinfo)
     unsigned char c[1]="";
     ops_parser_content_t content;
 
+    if(pinfo->recursive_compression_depth > MAX_RECURSIVE_COMPRESSION_DEPTH)
+    {
+       fprintf(stderr,"Recursive compression down to depth 32. This is weird. Probably a packet crafted to crash PGP. Will be dropped!\n") ;
+       return 0 ;
+    }
+
     if(!limited_read(c,1,region,pinfo))
 	return 0;
 
+pinfo->recursive_compression_depth++ ;
+
     C.compressed.type=c[0];
 
     CBP(pinfo,OPS_PTAG_CT_COMPRESSED,&content);
@@ -1965,7 +1974,11 @@ static int parse_compressed(ops_region_t *region,ops_parse_info_t *pinfo)
     /* The content of a compressed data packet is more OpenPGP packets
        once decompressed, so recursively handle them */
 
-    return ops_decompress(region,pinfo,C.compressed.type);
+    int res = ops_decompress(region,pinfo,C.compressed.type);
+
+pinfo->recursive_compression_depth-- ;
+
+    return res ;
     }
 
 /**

openpgpsdk/src/openpgpsdk/parse_local.h

@@ -111,6 +111,7 @@ struct ops_parse_info
     ops_crypt_t decrypt;
     ops_crypt_info_t cryptinfo;
     size_t nhashes;
+	 size_t recursive_compression_depth ;
     ops_parse_hash_info_t *hashes;
     ops_boolean_t reading_v3_secret:1;
     ops_boolean_t reading_mpi_length:1;