[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#801530: segfault is null-pointer dereference

.. and the exciting-looking address is apparently a typical load address for
the ssh binary.

# testing with the larger key attached to the initial comment
(gdb) run
Starting program: /home/jepler/src/openssh-6.7p1/ssh-keygen -l -f /home/jepler/Downloads/key.trigger.pub

Program received signal SIGSEGV, Segmentation fault.
0x0000555555567f9e in sshkey_read (ret=ret@entry=0x5555557c1300, 
    cpp=cpp@entry=0x7fffffff3a50) at sshkey.c:1201
1201                    if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0)
(gdb) p ret
$1 = (struct sshkey *) 0x5555557c1300
(gdb) p ret->rsa
$2 = (RSA *) 0x0
(gdb) where
#0  0x0000555555567f9e in sshkey_read (ret=ret@entry=0x5555557c1300, 
    cpp=cpp@entry=0x7fffffff3a50) at sshkey.c:1201
#1  0x000055555558272d in sshkey_try_load_public (k=k@entry=0x5555557c1300, 
    filename=filename@entry=0x5555557ba340 <identity_file> "/home/jepler/Downloads/key.trigger.pub", commentp=commentp@entry=0x7fffffff6b68) at authfile.c:331
#2  0x0000555555582f46 in sshkey_load_public (
    filename=0x5555557ba340 <identity_file> "/home/jepler/Downloads/key.trigger.pub", keyp=keyp@entry=0x7fffffff6b00, commentp=0x7fffffff6b68)
    at authfile.c:380
#3  0x0000555555572f28 in key_load_public (filename=<optimized out>, 
    commentp=<optimized out>) at key.c:365
#4  0x000055555555c209 in do_fingerprint (pw=<optimized out>)
    at ssh-keygen.c:807
#5  0x0000555555560594 in main (argc=4, argv=0x0) at ssh-keygen.c:2503

It's worth noting that disabling ssh compatibility code around line 1194 stops
the testcase from segfaulting and doesn't prevent printing the fingerprint of
an RSA key I had on hand.  Ah, but I see that rsa keys and rsa1 keys are
different and this does break printing rsa1 keys.

        case KEY_RSA1:
-#if WITH_SSH1
+#if 0
                /* Get number of bits. */

Reply to: