lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-08-08 19:02:06 +03:00
Code Activity

pki: fail when pubkey buffer length is not ED25519_PK_LEN

Browse Source 
Fail fast in 'pki_import_pubkey_buffer' for the ED25519 case if a buffer
sized ED25519_PK_LEN can not be retrieved.  Before, the 'memcpy' could
have read beyond the bounds of 'ssh_string_data(pubkey)'.

Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Jon Simons
2014-09-27 01:58:38 -07:00
committed by Andreas Schneider
parent af25c5e668
commit 7edbedf0dd
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/pki.c
View File

@@ -768,13 +768,17 @@ static int pki_import_pubkey_buffer(ssh_buffer buffer,
case SSH_KEYTYPE_ED25519: case SSH_KEYTYPE_ED25519:
{ {
ssh_string pubkey = buffer_get_ssh_string(buffer); ssh_string pubkey = buffer_get_ssh_string(buffer);
if (ssh_string_len(pubkey) != ED25519_PK_LEN) { if (ssh_string_len(pubkey) != ED25519_PK_LEN) {
ssh_pki_log("Invalid public key length"); ssh_pki_log("Invalid public key length");
ssh_string_burn(pubkey);
ssh_string_free(pubkey);
goto fail;
} }
key->ed25519_pubkey = malloc(ED25519_PK_LEN); key->ed25519_pubkey = malloc(ED25519_PK_LEN);
if (key->ed25519_pubkey == NULL) { if (key->ed25519_pubkey == NULL) {
ssh_string_burn(pubkey);
ssh_string_free(pubkey);
goto fail; goto fail;
} }