summaryrefslogtreecommitdiff
path: root/ssh-rsa.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2010-08-31 22:36:39 +1000
committerDamien Miller <djm@mindrot.org>2010-08-31 22:36:39 +1000
commitda108ece6843f1268aa36d7c8ed0030dc53acd15 (patch)
tree66638a1716374a8d1ac8ece95dceea56ce231a5c /ssh-rsa.c
parentd96546f5b0f7c57395a338dbb9ac3ac5a48b77fa (diff)
- djm@cvs.openbsd.org 2010/08/31 09:58:37
[auth-options.c auth1.c auth2.c bufaux.c buffer.h kex.c key.c packet.c] [packet.h ssh-dss.c ssh-rsa.c] Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function. Use the new API in a few sensitive places. * actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
Diffstat (limited to 'ssh-rsa.c')
-rw-r--r--ssh-rsa.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/ssh-rsa.c b/ssh-rsa.c
index c471ff323..c6355fa09 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-rsa.c,v 1.44 2010/07/16 14:07:35 djm Exp $ */ 1/* $OpenBSD: ssh-rsa.c,v 1.45 2010/08/31 09:58:37 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org> 3 * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
4 * 4 *
@@ -127,7 +127,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
127 } 127 }
128 buffer_init(&b); 128 buffer_init(&b);
129 buffer_append(&b, signature, signaturelen); 129 buffer_append(&b, signature, signaturelen);
130 ktype = buffer_get_string(&b, NULL); 130 ktype = buffer_get_cstring(&b, NULL);
131 if (strcmp("ssh-rsa", ktype) != 0) { 131 if (strcmp("ssh-rsa", ktype) != 0) {
132 error("ssh_rsa_verify: cannot handle type %s", ktype); 132 error("ssh_rsa_verify: cannot handle type %s", ktype);
133 buffer_free(&b); 133 buffer_free(&b);