Mercurial > dropbear

comparison svr-authpubkey.c @ 1888:a7b66ea18632

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Don't set pubkey_info directly in checkpubkey_line This makes it safe to use from fuzzer-pubkey without leaking the value since the cleanup isn't called
author Matt Johnston <matt@ucc.asn.au>
date Wed, 16 Mar 2022 18:35:23 +0800
parents 5d8dbb6fdab7
children f8ed10efaaac
comparison
equal deleted inserted replaced
1887:30fd047f6ebf 1888:a7b66ea18632
255 encrypt_packet(); 255 encrypt_packet();
256 TRACE(("leave send_msg_userauth_pk_ok")) 256 TRACE(("leave send_msg_userauth_pk_ok"))
257 257
258 } 258 }
259 259
260 /* Content for SSH_PUBKEYINFO is optionally returned malloced in ret_info (will be
261 freed if already set */
260 static int checkpubkey_line(buffer* line, int line_num, const char* filename, 262 static int checkpubkey_line(buffer* line, int line_num, const char* filename,
261 const char* algo, unsigned int algolen, 263 const char* algo, unsigned int algolen,
262 const unsigned char* keyblob, unsigned int keybloblen) { 264 const unsigned char* keyblob, unsigned int keybloblen,
265 char ** ret_info) {
263 buffer *options_buf = NULL; 266 buffer *options_buf = NULL;
264 char *info_str = NULL; 267 char *info_str = NULL;
265 unsigned int pos, len, infopos, infolen; 268 unsigned int pos, len, infopos, infolen;
266 int ret = DROPBEAR_FAILURE; 269 int ret = DROPBEAR_FAILURE;
267 270
376 TRACE(("checkpubkey_line: line pos = %d len = %d", line->pos, line->len)) 379 TRACE(("checkpubkey_line: line pos = %d len = %d", line->pos, line->len))
377 380
378 ret = cmp_base64_key(keyblob, keybloblen, (const unsigned char *) algo, algolen, line, NULL); 381 ret = cmp_base64_key(keyblob, keybloblen, (const unsigned char *) algo, algolen, line, NULL);
379 382
380 /* free pubkey_info if it is filled */ 383 /* free pubkey_info if it is filled */
381 if (ses.authstate.pubkey_info) { 384 if (ret_info && *ret_info) {
382 m_free(ses.authstate.pubkey_info); 385 m_free(*ret_info);
386 *ret_info = NULL;
383 } 387 }
384 388
385 if (ret == DROPBEAR_SUCCESS) { 389 if (ret == DROPBEAR_SUCCESS) {
386 if (options_buf) { 390 if (options_buf) {
387 ret = svr_add_pubkey_options(options_buf, line_num, filename); 391 ret = svr_add_pubkey_options(options_buf, line_num, filename);
388 } 392 }
389 /* take the (optional) public key information */ 393 if (ret_info) {
390 ses.authstate.pubkey_info = info_str; 394 /* take the (optional) public key information */
391 info_str = NULL; 395 *ret_info = info_str;
396 info_str = NULL;
397 }
392 } 398 }
393 399
394 out: 400 out:
395 if (options_buf) { 401 if (options_buf) {
396 buf_free(options_buf); 402 buf_free(options_buf);
468 TRACE(("checkpubkey: authorized_keys EOF reached")) 474 TRACE(("checkpubkey: authorized_keys EOF reached"))
469 break; 475 break;
470 } 476 }
471 line_num++; 477 line_num++;
472 478
473 ret = checkpubkey_line(line, line_num, filename, keyalgo, keyalgolen, keyblob, keybloblen); 479 ret = checkpubkey_line(line, line_num, filename, keyalgo, keyalgolen,
480 keyblob, keybloblen, &ses.authstate.pubkey_info);
474 if (ret == DROPBEAR_SUCCESS) { 481 if (ret == DROPBEAR_SUCCESS) {
475 break; 482 break;
476 } 483 }
477 484
478 /* We continue to the next line otherwise */ 485 /* We continue to the next line otherwise */
585 592
586 #if DROPBEAR_FUZZ 593 #if DROPBEAR_FUZZ
587 int fuzz_checkpubkey_line(buffer* line, int line_num, char* filename, 594 int fuzz_checkpubkey_line(buffer* line, int line_num, char* filename,
588 const char* algo, unsigned int algolen, 595 const char* algo, unsigned int algolen,
589 const unsigned char* keyblob, unsigned int keybloblen) { 596 const unsigned char* keyblob, unsigned int keybloblen) {
590 return checkpubkey_line(line, line_num, filename, algo, algolen, keyblob, keybloblen); 597 return checkpubkey_line(line, line_num, filename, algo, algolen, keyblob, keybloblen, NULL);
591 } 598 }
592 #endif 599 #endif
593 600
594 #endif 601 #endif