From 7edbedf0dd21657f5aefd0db5cb212330b8b2355 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@jonsimons.org>
Date: Sat, 27 Sep 2014 01:58:38 -0700
Subject: [PATCH] pki: fail when pubkey buffer length is not ED25519_PK_LEN

Fail fast in 'pki_import_pubkey_buffer' for the ED25519 case if a buffer
sized ED25519_PK_LEN can not be retrieved.  Before, the 'memcpy' could
have read beyond the bounds of 'ssh_string_data(pubkey)'.

Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/pki.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/pki.c b/src/pki.c
index 8fc7251a..cde803e6 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -768,13 +768,17 @@ static int pki_import_pubkey_buffer(ssh_buffer buffer,
         case SSH_KEYTYPE_ED25519:
         {
             ssh_string pubkey = buffer_get_ssh_string(buffer);
-
             if (ssh_string_len(pubkey) != ED25519_PK_LEN) {
                 ssh_pki_log("Invalid public key length");
+                ssh_string_burn(pubkey);
+                ssh_string_free(pubkey);
+                goto fail;
             }
 
             key->ed25519_pubkey = malloc(ED25519_PK_LEN);
             if (key->ed25519_pubkey == NULL) {
+                ssh_string_burn(pubkey);
+                ssh_string_free(pubkey);
                 goto fail;
             }