diff options
author | Jon Simons <jon@jonsimons.org> | 2014-09-27 01:58:38 -0700 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2014-10-02 08:27:05 +0200 |
commit | 7edbedf0dd21657f5aefd0db5cb212330b8b2355 (patch) | |
tree | 7634bdc47c69c249d412b45e4ce70918db58ccf5 /src | |
parent | af25c5e668fa817521496ac2278127b516f219d3 (diff) | |
download | libssh-7edbedf0dd21657f5aefd0db5cb212330b8b2355.tar.gz libssh-7edbedf0dd21657f5aefd0db5cb212330b8b2355.tar.xz libssh-7edbedf0dd21657f5aefd0db5cb212330b8b2355.zip |
pki: fail when pubkey buffer length is not ED25519_PK_LEN
Fail fast in 'pki_import_pubkey_buffer' for the ED25519 case if a buffer
sized ED25519_PK_LEN can not be retrieved. Before, the 'memcpy' could
have read beyond the bounds of 'ssh_string_data(pubkey)'.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/pki.c | 6 |
1 files changed, 5 insertions, 1 deletions
@@ -768,13 +768,17 @@ static int pki_import_pubkey_buffer(ssh_buffer buffer, case SSH_KEYTYPE_ED25519: { ssh_string pubkey = buffer_get_ssh_string(buffer); - if (ssh_string_len(pubkey) != ED25519_PK_LEN) { ssh_pki_log("Invalid public key length"); + ssh_string_burn(pubkey); + ssh_string_free(pubkey); + goto fail; } key->ed25519_pubkey = malloc(ED25519_PK_LEN); if (key->ed25519_pubkey == NULL) { + ssh_string_burn(pubkey); + ssh_string_free(pubkey); goto fail; } |