[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 1/3] pki: fail when pubkey buffer length is not ED25519_PK_LEN

Subject: [PATCH 1/3] pki: fail when pubkey buffer length is not ED25519_PK_LEN
From: Jon Simons <jon@xxxxxxxxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Sat, 27 Sep 2014 03:00:45 -0700
To: libssh@xxxxxxxxxx

From 575dae03b2078c40d216a851a3a6755bb5ec72e6 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Sat, 27 Sep 2014 01:58:38 -0700
Subject: [PATCH 1/3] pki: fail when pubkey buffer length is not ED25519_PK_LEN

Fail fast in 'pki_import_pubkey_buffer' for the ED25519 case if a buffer
sized ED25519_PK_LEN can not be retrieved.  Before, the 'memcpy' could
have read beyond the bounds of 'ssh_string_data(pubkey)'.

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 src/pki.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/pki.c b/src/pki.c
index 8fc7251..cde803e 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -768,13 +768,17 @@ static int pki_import_pubkey_buffer(ssh_buffer buffer,
         case SSH_KEYTYPE_ED25519:
         {
             ssh_string pubkey = buffer_get_ssh_string(buffer);
-
             if (ssh_string_len(pubkey) != ED25519_PK_LEN) {
                 ssh_pki_log("Invalid public key length");
+                ssh_string_burn(pubkey);
+                ssh_string_free(pubkey);
+                goto fail;
             }
 
             key->ed25519_pubkey = malloc(ED25519_PK_LEN);
             if (key->ed25519_pubkey == NULL) {
+                ssh_string_burn(pubkey);
+                ssh_string_free(pubkey);
                 goto fail;
             }
 
-- 
2.1.1.602.g02f248d

Archive administrator: postmaster@lists.cynapses.org