[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#801530: openssh-client: Segfault on malformed keys - possible security impact



  The following patch seems to me to be a reasonable stab at fixing
 the NULL pointer dereference.

  Tested on Debian Jessie (amd64), against keys of type:

    * dsa
    * ecdsa
    * ed25519
    * rsa
    * rsa1

  On a valid key it shows the fingerprint.  On my bogus sample it shows:

  line 2 too long: 4...
  /home/steve/fuz/output/crashes/crash.min.pub is not a public key file.

  Patch below.  Feel free to include/rework.

Steve
-- 


--- sshkey.c.orig   2015-10-13 22:42:26.178252307 +0300
+++ sshkey.c    2015-10-13 22:42:58.781080815 +0300
@@ -1198,6 +1198,9 @@
            bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8)
            return SSH_ERR_INVALID_FORMAT;  /* Bad bit count... */
 
+                if ( ret->rsa == NULL )
+                    return SSH_ERR_INVALID_FORMAT;
+
        /* Get public exponent, public modulus. */
        if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0)
            return r;


Reply to: