From 1f757928051b6d6ff231b2265bad2d263b0fe3ea Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Thu, 19 Feb 2015 20:05:10 +0000 Subject: [PATCH] Fix an erroneous length field in SSH-1 key load. We incremented buf by a few bytes, so we must decrement the corresponding length by the same amount, or else makekey() could overrun. Thanks to Patrick Coleman for the patch. --- sshpubk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sshpubk.c b/sshpubk.c index 87f1ebf3..74cf1080 100644 --- a/sshpubk.c +++ b/sshpubk.c @@ -67,7 +67,7 @@ static int loadrsakey_main(FILE * fp, struct RSAKey *key, int pub_only, i += 4; /* Now the serious stuff. An ordinary SSH-1 public key. */ - j = makekey(buf + i, len, key, NULL, 1); + j = makekey(buf + i, len - i, key, NULL, 1); if (j < 0) goto end; /* overran */ i += j;