Bug#801530: openssh-client: Segfault on malformed keys - possible security impact
The following patch seems to me to be a reasonable stab at fixing
the NULL pointer dereference.
Tested on Debian Jessie (amd64), against keys of type:
* dsa
* ecdsa
* ed25519
* rsa
* rsa1
On a valid key it shows the fingerprint. On my bogus sample it shows:
line 2 too long: 4...
/home/steve/fuz/output/crashes/crash.min.pub is not a public key file.
Patch below. Feel free to include/rework.
Steve
--
--- sshkey.c.orig 2015-10-13 22:42:26.178252307 +0300
+++ sshkey.c 2015-10-13 22:42:58.781080815 +0300
@@ -1198,6 +1198,9 @@
bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8)
return SSH_ERR_INVALID_FORMAT; /* Bad bit count... */
+ if ( ret->rsa == NULL )
+ return SSH_ERR_INVALID_FORMAT;
+
/* Get public exponent, public modulus. */
if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0)
return r;
Reply to: