From 08d04faf2457e80b65b798f46bc71ac5a81b6d27 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Fri, 5 Nov 2004 20:42:28 +1100
Subject:    - djm@cvs.openbsd.org 2004/10/29 23:57:05      [key.c]      use
 new buffer API to avoid fatal errors on corrupt keys in authorized_keys     
 files; ok markus@

---
 ChangeLog |  6 +++++-
 key.c     | 38 +++++++++++++++++++++++++++-----------
 2 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f991fe7eb..009470049 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -58,6 +58,10 @@
      [bufaux.c bufaux.h buffer.c buffer.h]
      introduce a new buffer API that returns an error rather than fatal()ing
      when presented with bad data; ok markus@
+   - djm@cvs.openbsd.org 2004/10/29 23:57:05
+     [key.c]
+     use new buffer API to avoid fatal errors on corrupt keys in authorized_keys
+     files; ok markus@
 
 20041102
  - (dtucker) [configure.ac includes.h] Bug #947: Fix compile error on HP-UX
@@ -1837,4 +1841,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.3577 2004/11/05 09:41:24 dtucker Exp $
+$Id: ChangeLog,v 1.3578 2004/11/05 09:42:28 dtucker Exp $
diff --git a/key.c b/key.c
index 21b0869df..e41930464 100644
--- a/key.c
+++ b/key.c
@@ -32,7 +32,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: key.c,v 1.56 2004/07/28 09:40:29 markus Exp $");
+RCSID("$OpenBSD: key.c,v 1.57 2004/10/29 23:57:05 djm Exp $");
 
 #include <openssl/evp.h>
 
@@ -681,8 +681,8 @@ Key *
 key_from_blob(const u_char *blob, u_int blen)
 {
 	Buffer b;
-	char *ktype;
 	int rlen, type;
+	char *ktype = NULL;
 	Key *key = NULL;
 
 #ifdef DEBUG_PK
@@ -690,24 +690,38 @@ key_from_blob(const u_char *blob, u_int blen)
 #endif
 	buffer_init(&b);
 	buffer_append(&b, blob, blen);
-	ktype = buffer_get_string(&b, NULL);
+	if ((ktype = buffer_get_string_ret(&b, NULL)) == NULL) {
+		error("key_from_blob: can't read key type");
+		goto out;
+	}
+
 	type = key_type_from_name(ktype);
 
 	switch (type) {
 	case KEY_RSA:
 		key = key_new(type);
-		buffer_get_bignum2(&b, key->rsa->e);
-		buffer_get_bignum2(&b, key->rsa->n);
+		if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
+		    buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
+			error("key_from_blob: can't read rsa key");
+			key_free(key);
+			key = NULL;
+			goto out;
+		}
 #ifdef DEBUG_PK
 		RSA_print_fp(stderr, key->rsa, 8);
 #endif
 		break;
 	case KEY_DSA:
 		key = key_new(type);
-		buffer_get_bignum2(&b, key->dsa->p);
-		buffer_get_bignum2(&b, key->dsa->q);
-		buffer_get_bignum2(&b, key->dsa->g);
-		buffer_get_bignum2(&b, key->dsa->pub_key);
+		if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
+		    buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
+		    buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
+		    buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
+			error("key_from_blob: can't read dsa key");
+			key_free(key);
+			key = NULL;
+			goto out;
+		}
 #ifdef DEBUG_PK
 		DSA_print_fp(stderr, key->dsa, 8);
 #endif
@@ -717,12 +731,14 @@ key_from_blob(const u_char *blob, u_int blen)
 		break;
 	default:
 		error("key_from_blob: cannot handle type %s", ktype);
-		break;
+		goto out;
 	}
 	rlen = buffer_len(&b);
 	if (key != NULL && rlen != 0)
 		error("key_from_blob: remaining bytes in key blob %d", rlen);
-	xfree(ktype);
+ out:
+	if (ktype != NULL)
+		xfree(ktype);
 	buffer_free(&b);
 	return key;
 }
-- 
cgit v1.2.3