aboutsummaryrefslogtreecommitdiff
path: root/src/pki.c
diff options
context:
space:
mode:
authorXi Wang <xi.wang@gmail.com>2011-11-25 23:01:18 -0500
committerAndreas Schneider <asn@cryptomilk.org>2012-10-22 21:00:08 +0200
commitcab00c3bfcc88e7321fb9670956758cdee50f49c (patch)
treef1ff4bbb85362015e99e8cec6d18322b86f59bc7 /src/pki.c
parentd404ad71525a5cad91d030e20c5346470b20e46d (diff)
downloadlibssh-cab00c3bfcc88e7321fb9670956758cdee50f49c.tar.gz
libssh-cab00c3bfcc88e7321fb9670956758cdee50f49c.tar.xz
libssh-cab00c3bfcc88e7321fb9670956758cdee50f49c.zip
pki: Fix integer overflow in ssh_pki_import_privkey_file().
If the file size is ULONG_MAX, the call to malloc() may allocate a small buffer, leading to a memory corruption.
Diffstat (limited to 'src/pki.c')
-rw-r--r--src/pki.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/pki.c b/src/pki.c
index 9f677b02..977f4bc1 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -457,6 +457,7 @@ int ssh_pki_import_privkey_file(const char *filename,
filename, strerror(errno));
return SSH_ERROR;
}
+ key_buf[size] = 0;
key = pki_private_key_from_base64(key_buf, passphrase, auth_fn, auth_data);
SAFE_FREE(key_buf);
@@ -815,6 +816,10 @@ int ssh_pki_import_pubkey_file(const char *filename, ssh_key *pkey)
return SSH_ERROR;
}
+ if (sb.st_size + 1 < sb.st_size) {
+ return SSH_ERROR;
+ }
+
file = fopen(filename, "r");
if (file == NULL) {
ssh_pki_log("Error opening %s: %s",