~mdw
/
sgt
/
putty
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Add another missing bounds check in the SSH-1 private key loader.
[sgt/putty]
/
sshpubk.c
diff --git
a/sshpubk.c
b/sshpubk.c
index
76aa343
..
b860040
100644
(file)
--- a/
sshpubk.c
+++ b/
sshpubk.c
@@
-74,7
+74,7
@@
static int loadrsakey_main(FILE * fp, struct RSAKey *key, int pub_only,
/* Next, the comment field. */
j = GET_32BIT(buf + i);
i += 4;
/* Next, the comment field. */
j = GET_32BIT(buf + i);
i += 4;
- if (len - i < j)
+ if (
j < 0 ||
len - i < j)
goto end;
comment = snewn(j + 1, char);
if (comment) {
goto end;
comment = snewn(j + 1, char);
if (comment) {
@@
-257,8
+257,8
@@
int rsakey_pubblob(const Filename *filename, void **blob, int *bloblen,
*blob = rsa_public_blob(&key, bloblen);
freersakey(&key);
ret = 1;
*blob = rsa_public_blob(&key, bloblen);
freersakey(&key);
ret = 1;
- fp = NULL;
}
}
+ fp = NULL; /* loadrsakey_main unconditionally closes fp */
} else {
error = "not an SSH-1 RSA file";
}
} else {
error = "not an SSH-1 RSA file";
}
@@
-679,7
+679,6
@@
struct ssh2_userkey *ssh2_load_userkey(const Filename *filename,
cipher = 0;
cipherblk = 1;
} else {
cipher = 0;
cipherblk = 1;
} else {
- sfree(encryption);
goto error;
}
goto error;
}