# HG changeset patch # User Matt Johnston # Date 1647426923 -28800 # Node ID a7b66ea1863206b044ab21418d8be0cfa12e5923 # Parent 30fd047f6ebfae8df94972c2f7a782676dd73091 Don't set pubkey_info directly in checkpubkey_line This makes it safe to use from fuzzer-pubkey without leaking the value since the cleanup isn't called diff -r 30fd047f6ebf -r a7b66ea18632 svr-authpubkey.c --- a/svr-authpubkey.c Wed Mar 16 17:32:43 2022 +0800 +++ b/svr-authpubkey.c Wed Mar 16 18:35:23 2022 +0800 @@ -257,9 +257,12 @@ } +/* Content for SSH_PUBKEYINFO is optionally returned malloced in ret_info (will be + freed if already set */ static int checkpubkey_line(buffer* line, int line_num, const char* filename, const char* algo, unsigned int algolen, - const unsigned char* keyblob, unsigned int keybloblen) { + const unsigned char* keyblob, unsigned int keybloblen, + char ** ret_info) { buffer *options_buf = NULL; char *info_str = NULL; unsigned int pos, len, infopos, infolen; @@ -378,17 +381,20 @@ ret = cmp_base64_key(keyblob, keybloblen, (const unsigned char *) algo, algolen, line, NULL); /* free pubkey_info if it is filled */ - if (ses.authstate.pubkey_info) { - m_free(ses.authstate.pubkey_info); + if (ret_info && *ret_info) { + m_free(*ret_info); + *ret_info = NULL; } if (ret == DROPBEAR_SUCCESS) { if (options_buf) { ret = svr_add_pubkey_options(options_buf, line_num, filename); } - /* take the (optional) public key information */ - ses.authstate.pubkey_info = info_str; - info_str = NULL; + if (ret_info) { + /* take the (optional) public key information */ + *ret_info = info_str; + info_str = NULL; + } } out: @@ -470,7 +476,8 @@ } line_num++; - ret = checkpubkey_line(line, line_num, filename, keyalgo, keyalgolen, keyblob, keybloblen); + ret = checkpubkey_line(line, line_num, filename, keyalgo, keyalgolen, + keyblob, keybloblen, &ses.authstate.pubkey_info); if (ret == DROPBEAR_SUCCESS) { break; } @@ -587,7 +594,7 @@ int fuzz_checkpubkey_line(buffer* line, int line_num, char* filename, const char* algo, unsigned int algolen, const unsigned char* keyblob, unsigned int keybloblen) { - return checkpubkey_line(line, line_num, filename, algo, algolen, keyblob, keybloblen); + return checkpubkey_line(line, line_num, filename, algo, algolen, keyblob, keybloblen, NULL); } #endif