https://bugzilla.mindrot.org/show_bug.cgi?id=3409
--- Comment #1 from Mateusz Adamowski <mateusz@adamowski.pl> ---
I managed to identify minimal malformed input that crashes the program:
$ ssh-keygen -Y verify -n file -s ed25519.c.sig -f <( printf "?\x00\n"
) -I a < ed25519.c
The problem is probably with strdelim_internal() function [misc.c:398]
When it cannot find accepted separator (whitespaces, quotes), it
returns the original pointer, but also it sets value passed by pointer
(char **s) to NULL.
This value is never checked in parse_principals_key_and_options()
[sshsig.c:718] and ultimately passed to sshkey_read()
I added following check right before a call to sshkey_read():
if (cp == NULL) {
error("%s:%lu: invalid line", path, linenum);
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
And it seems to solve this problem.
However, I think that parse_principals_key_and_options() function
should have some extra pre-check, that would immediately eliminate
malformed lines, especially these containing 0x00 and other
non-printable characters.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
--- Comment #1 from Mateusz Adamowski <mateusz@adamowski.pl> ---
I managed to identify minimal malformed input that crashes the program:
$ ssh-keygen -Y verify -n file -s ed25519.c.sig -f <( printf "?\x00\n"
) -I a < ed25519.c
The problem is probably with strdelim_internal() function [misc.c:398]
When it cannot find accepted separator (whitespaces, quotes), it
returns the original pointer, but also it sets value passed by pointer
(char **s) to NULL.
This value is never checked in parse_principals_key_and_options()
[sshsig.c:718] and ultimately passed to sshkey_read()
I added following check right before a call to sshkey_read():
if (cp == NULL) {
error("%s:%lu: invalid line", path, linenum);
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
And it seems to solve this problem.
However, I think that parse_principals_key_and_options() function
should have some extra pre-check, that would immediately eliminate
malformed lines, especially these containing 0x00 and other
non-printable characters.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs