diff options
author | Xi Wang <xi.wang@gmail.com> | 2011-11-25 23:01:18 -0500 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2012-10-22 21:00:08 +0200 |
commit | cab00c3bfcc88e7321fb9670956758cdee50f49c (patch) | |
tree | f1ff4bbb85362015e99e8cec6d18322b86f59bc7 /src/pki.c | |
parent | d404ad71525a5cad91d030e20c5346470b20e46d (diff) | |
download | libssh-cab00c3bfcc88e7321fb9670956758cdee50f49c.tar.gz libssh-cab00c3bfcc88e7321fb9670956758cdee50f49c.tar.xz libssh-cab00c3bfcc88e7321fb9670956758cdee50f49c.zip |
pki: Fix integer overflow in ssh_pki_import_privkey_file().
If the file size is ULONG_MAX, the call to malloc() may allocate a
small buffer, leading to a memory corruption.
Diffstat (limited to 'src/pki.c')
-rw-r--r-- | src/pki.c | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -457,6 +457,7 @@ int ssh_pki_import_privkey_file(const char *filename, filename, strerror(errno)); return SSH_ERROR; } + key_buf[size] = 0; key = pki_private_key_from_base64(key_buf, passphrase, auth_fn, auth_data); SAFE_FREE(key_buf); @@ -815,6 +816,10 @@ int ssh_pki_import_pubkey_file(const char *filename, ssh_key *pkey) return SSH_ERROR; } + if (sb.st_size + 1 < sb.st_size) { + return SSH_ERROR; + } + file = fopen(filename, "r"); if (file == NULL) { ssh_pki_log("Error opening %s: %s", |