diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-05-01 04:23:11 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-05-01 16:40:11 +1000 |
commit | 99ce9cefbe532ae979744c6d956b49f4b02aff82 (patch) | |
tree | 827652826b5a58badd6f7b675793fba13c8aa9f6 /ssh-keygen.c | |
parent | 6c6072ba8b079e6f5caa38b011a6f4570c14ed38 (diff) |
upstream: avoid NULL dereference when attempting to convert invalid
ssh.com private keys using "ssh-keygen -i"; spotted by Michael Forney
OpenBSD-Commit-ID: 2e56e6d26973967d11d13f56ea67145f435bf298
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r-- | ssh-keygen.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index d50ca5f28..d7974f3dc 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.407 2020/04/20 04:43:57 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.408 2020/05/01 04:23:11 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -669,9 +669,10 @@ do_convert_from_ssh2(struct passwd *pw, struct sshkey **k, int *private) | |||
669 | encoded[len-3] = '\0'; | 669 | encoded[len-3] = '\0'; |
670 | if ((r = sshbuf_b64tod(buf, encoded)) != 0) | 670 | if ((r = sshbuf_b64tod(buf, encoded)) != 0) |
671 | fatal("%s: base64 decoding failed: %s", __func__, ssh_err(r)); | 671 | fatal("%s: base64 decoding failed: %s", __func__, ssh_err(r)); |
672 | if (*private) | 672 | if (*private) { |
673 | *k = do_convert_private_ssh2(buf); | 673 | if ((*k = do_convert_private_ssh2(buf)) == NULL) |
674 | else if ((r = sshkey_fromb(buf, k)) != 0) | 674 | fatal("%s: private key conversion failed", __func__); |
675 | } else if ((r = sshkey_fromb(buf, k)) != 0) | ||
675 | fatal("decode blob failed: %s", ssh_err(r)); | 676 | fatal("decode blob failed: %s", ssh_err(r)); |
676 | sshbuf_free(buf); | 677 | sshbuf_free(buf); |
677 | fclose(fp); | 678 | fclose(fp); |