diff options
author | djm@openbsd.org <djm@openbsd.org> | 2014-11-18 01:02:25 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2014-11-18 12:00:51 +1100 |
commit | d2d51003a623e21fb2b25567c4878d915e90aa2a (patch) | |
tree | 42968fcc6ddaf3326af4084a39d8be002f88cd6a | |
parent | 9f9fad0191028edc43d100d0ded39419b6895fdf (diff) |
upstream commit
fix NULL pointer dereference crash in key loading
found by Michal Zalewski's AFL fuzzer
-rw-r--r-- | sshkey.c | 8 |
1 files changed, 3 insertions, 5 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshkey.c,v 1.4 2014/10/08 21:45:48 djm Exp $ */ | 1 | /* $OpenBSD: sshkey.c,v 1.5 2014/11/18 01:02:25 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. | 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. |
@@ -1233,9 +1233,7 @@ sshkey_read(struct sshkey *ret, char **cpp) | |||
1233 | cp = space+1; | 1233 | cp = space+1; |
1234 | if (*cp == '\0') | 1234 | if (*cp == '\0') |
1235 | return SSH_ERR_INVALID_FORMAT; | 1235 | return SSH_ERR_INVALID_FORMAT; |
1236 | if (ret->type == KEY_UNSPEC) { | 1236 | if (ret->type != KEY_UNSPEC && ret->type != type) |
1237 | ret->type = type; | ||
1238 | } else if (ret->type != type) | ||
1239 | return SSH_ERR_KEY_TYPE_MISMATCH; | 1237 | return SSH_ERR_KEY_TYPE_MISMATCH; |
1240 | if ((blob = sshbuf_new()) == NULL) | 1238 | if ((blob = sshbuf_new()) == NULL) |
1241 | return SSH_ERR_ALLOC_FAIL; | 1239 | return SSH_ERR_ALLOC_FAIL; |
@@ -1262,7 +1260,7 @@ sshkey_read(struct sshkey *ret, char **cpp) | |||
1262 | sshkey_free(k); | 1260 | sshkey_free(k); |
1263 | return SSH_ERR_EC_CURVE_MISMATCH; | 1261 | return SSH_ERR_EC_CURVE_MISMATCH; |
1264 | } | 1262 | } |
1265 | /*XXXX*/ | 1263 | ret->type = type; |
1266 | if (sshkey_is_cert(ret)) { | 1264 | if (sshkey_is_cert(ret)) { |
1267 | if (!sshkey_is_cert(k)) { | 1265 | if (!sshkey_is_cert(k)) { |
1268 | sshkey_free(k); | 1266 | sshkey_free(k); |