When importing malformed public key (e.g. one not ending with a white-space character) it is possible for libssh to overwrite memory outside of a block allocated for key_buf in ssh_pki_import_pubkey_file().
Signed-off-by: Jan Stancek <[email protected]> Signed-off-by: Artem Savkov <[email protected]> --- src/pki.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/pki.c b/src/pki.c index 39a7515..cfc5b23 100644 --- a/src/pki.c +++ b/src/pki.c @@ -1067,7 +1067,7 @@ int ssh_pki_import_pubkey_file(const char *filename, ssh_key *pkey) key_buf[size] = '\0'; q = p = key_buf; - while (!isspace((int)*p)) p++; + while (*p && !isspace((int)*p)) p++; *p = '\0'; type = ssh_key_type_from_name(q); @@ -1075,9 +1075,13 @@ int ssh_pki_import_pubkey_file(const char *filename, ssh_key *pkey) SAFE_FREE(key_buf); return SSH_ERROR; } - q = ++p; - while (!isspace((int)*p)) p++; - *p = '\0'; + if (p - key_buf < size) { + q = ++p; + while (*p && !isspace((int)*p)) p++; + *p = '\0'; + } else { + q = p; + } rc = ssh_pki_import_pubkey_base64(q, type, pkey); SAFE_FREE(key_buf); -- 2.5.5
