aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJon Simons <jon@jonsimons.org>2014-09-27 01:58:38 -0700
committerAndreas Schneider <asn@cryptomilk.org>2014-10-02 08:27:05 +0200
commit7edbedf0dd21657f5aefd0db5cb212330b8b2355 (patch)
tree7634bdc47c69c249d412b45e4ce70918db58ccf5
parentaf25c5e668fa817521496ac2278127b516f219d3 (diff)
downloadlibssh-7edbedf0dd21657f5aefd0db5cb212330b8b2355.tar.gz
libssh-7edbedf0dd21657f5aefd0db5cb212330b8b2355.tar.xz
libssh-7edbedf0dd21657f5aefd0db5cb212330b8b2355.zip
pki: fail when pubkey buffer length is not ED25519_PK_LEN
Fail fast in 'pki_import_pubkey_buffer' for the ED25519 case if a buffer sized ED25519_PK_LEN can not be retrieved. Before, the 'memcpy' could have read beyond the bounds of 'ssh_string_data(pubkey)'. Signed-off-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r--src/pki.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/src/pki.c b/src/pki.c
index 8fc7251a..cde803e6 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -768,13 +768,17 @@ static int pki_import_pubkey_buffer(ssh_buffer buffer,
case SSH_KEYTYPE_ED25519:
{
ssh_string pubkey = buffer_get_ssh_string(buffer);
-
if (ssh_string_len(pubkey) != ED25519_PK_LEN) {
ssh_pki_log("Invalid public key length");
+ ssh_string_burn(pubkey);
+ ssh_string_free(pubkey);
+ goto fail;
}
key->ed25519_pubkey = malloc(ED25519_PK_LEN);
if (key->ed25519_pubkey == NULL) {
+ ssh_string_burn(pubkey);
+ ssh_string_free(pubkey);
goto fail;
}