2 files changed, 12 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index aefc0b8c9..1d990febb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,10 @@
    - djm@cvs.openbsd.org 2010/05/21 05:00:36
      [misc.c]
      colon() returns char*, so s/return (0)/return NULL/
+   - markus@cvs.openbsd.org 2010/06/08 21:32:19
+     [ssh-pkcs11.c]
+     check length of value returned  C_GetAttributValue for != 0
+     from mdrtbugzilla@codefive.co.uk; bugzilla #1773; ok dtucker@
 
 20100622
  - (djm) [loginrec.c] crank LINFO_NAMESIZE (username length) to 512
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index 9460446d3..286c232c7 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.c,v 1.5 2010/04/15 20:32:55 markus Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.6 2010/06/08 21:32:19 markus Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  *
@@ -433,7 +433,13 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp,
                         error("C_GetAttributeValue failed: %lu", rv);
                         continue;
                 }
-                /* allocate buffers for attributes, XXX check ulValueLen? */
+                /* check that none of the attributes are zero length */
+                if (attribs[0].ulValueLen == 0 ||
+                    attribs[1].ulValueLen == 0 ||
+                    attribs[2].ulValueLen == 0) {
+                        continue;
+                }
+                /* allocate buffers for attributes */
                 for (i = 0; i < 3; i++)
                         attribs[i].pValue = xmalloc(attribs[i].ulValueLen);
                 /* retrieve ID, modulus and public exponent of RSA key */