Bug#801530: segfault is null-pointer dereference
.. and the exciting-looking address is apparently a typical load address for
the ssh binary.
# testing with the larger key attached to the initial comment
(gdb) run
Starting program: /home/jepler/src/openssh-6.7p1/ssh-keygen -l -f /home/jepler/Downloads/key.trigger.pub
Program received signal SIGSEGV, Segmentation fault.
0x0000555555567f9e in sshkey_read (ret=ret@entry=0x5555557c1300,
cpp=cpp@entry=0x7fffffff3a50) at sshkey.c:1201
1201 if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0)
(gdb) p ret
$1 = (struct sshkey *) 0x5555557c1300
(gdb) p ret->rsa
$2 = (RSA *) 0x0
(gdb) where
#0 0x0000555555567f9e in sshkey_read (ret=ret@entry=0x5555557c1300,
cpp=cpp@entry=0x7fffffff3a50) at sshkey.c:1201
#1 0x000055555558272d in sshkey_try_load_public (k=k@entry=0x5555557c1300,
filename=filename@entry=0x5555557ba340 <identity_file> "/home/jepler/Downloads/key.trigger.pub", commentp=commentp@entry=0x7fffffff6b68) at authfile.c:331
#2 0x0000555555582f46 in sshkey_load_public (
filename=0x5555557ba340 <identity_file> "/home/jepler/Downloads/key.trigger.pub", keyp=keyp@entry=0x7fffffff6b00, commentp=0x7fffffff6b68)
at authfile.c:380
#3 0x0000555555572f28 in key_load_public (filename=<optimized out>,
commentp=<optimized out>) at key.c:365
#4 0x000055555555c209 in do_fingerprint (pw=<optimized out>)
at ssh-keygen.c:807
#5 0x0000555555560594 in main (argc=4, argv=0x0) at ssh-keygen.c:2503
It's worth noting that disabling ssh compatibility code around line 1194 stops
the testcase from segfaulting and doesn't prevent printing the fingerprint of
an RSA key I had on hand. Ah, but I see that rsa keys and rsa1 keys are
different and this does break printing rsa1 keys.
@@sshkey_read
case KEY_RSA1:
-#if WITH_SSH1
+#if 0
/* Get number of bits. */
Reply to: