https://bugzilla.mindrot.org/show_bug.cgi?id=3409
--- Comment #1 from Mateusz Adamowski <[email protected]> --- I managed to identify minimal malformed input that crashes the program: $ ssh-keygen -Y verify -n file -s ed25519.c.sig -f <( printf "?\x00\n" ) -I a < ed25519.c The problem is probably with strdelim_internal() function [misc.c:398] When it cannot find accepted separator (whitespaces, quotes), it returns the original pointer, but also it sets value passed by pointer (char **s) to NULL. This value is never checked in parse_principals_key_and_options() [sshsig.c:718] and ultimately passed to sshkey_read() I added following check right before a call to sshkey_read(): if (cp == NULL) { error("%s:%lu: invalid line", path, linenum); r = SSH_ERR_INVALID_FORMAT; goto out; } And it seems to solve this problem. However, I think that parse_principals_key_and_options() function should have some extra pre-check, that would immediately eliminate malformed lines, especially these containing 0x00 and other non-printable characters. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
