mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-10 01:48:00 +00:00
Sanity-check the 'Public-Lines' field in ppk files.
If it's too large, memory allocation can fail, or worse, under-allocate due to integer overflow.
This commit is contained in:
parent
baa04337a4
commit
63a58759b5
36
sshpubk.c
36
sshpubk.c
@ -24,6 +24,18 @@
|
||||
|
||||
static int key_type_fp(FILE *fp);
|
||||
|
||||
/*
|
||||
* Fairly arbitrary size limit on any public or private key blob.
|
||||
* Chosen to match AGENT_MAX_MSGLEN, on the basis that any key too
|
||||
* large to transfer over the ssh-agent protocol is probably too large
|
||||
* to be useful in general.
|
||||
*
|
||||
* MAX_KEY_BLOB_LINES is the corresponding limit on the Public-Lines
|
||||
* or Private-Lines header field in a key file.
|
||||
*/
|
||||
#define MAX_KEY_BLOB_SIZE 262144
|
||||
#define MAX_KEY_BLOB_LINES (MAX_KEY_BLOB_SIZE / 48)
|
||||
|
||||
static int rsa_ssh1_load_main(FILE * fp, RSAKey *key, bool pub_only,
|
||||
char **commentptr, const char *passphrase,
|
||||
const char **error)
|
||||
@ -514,7 +526,9 @@ static bool read_blob(FILE *fp, int nlines, BinarySink *bs)
|
||||
int i, j, k;
|
||||
|
||||
/* We expect at most 64 base64 characters, ie 48 real bytes, per line. */
|
||||
assert(nlines < MAX_KEY_BLOB_LINES);
|
||||
blob = snewn(48 * nlines, unsigned char);
|
||||
|
||||
for (i = 0; i < nlines; i++) {
|
||||
line = read_body(fp);
|
||||
if (!line) {
|
||||
@ -584,6 +598,16 @@ static void ssh2_ppk_derivekey(ptrlen passphrase, uint8_t *key)
|
||||
ssh_hash_final(h, key + 20);
|
||||
}
|
||||
|
||||
static int userkey_parse_line_counter(const char *text)
|
||||
{
|
||||
char *endptr;
|
||||
unsigned long ul = strtoul(text, &endptr, 10);
|
||||
if (*text && !*endptr && ul < MAX_KEY_BLOB_LINES)
|
||||
return ul;
|
||||
else
|
||||
return -1;
|
||||
}
|
||||
|
||||
ssh2_userkey *ssh2_load_userkey(
|
||||
const Filename *filename, const char *passphrase, const char **errorstr)
|
||||
{
|
||||
@ -665,8 +689,10 @@ ssh2_userkey *ssh2_load_userkey(
|
||||
goto error;
|
||||
if ((b = read_body(fp)) == NULL)
|
||||
goto error;
|
||||
i = atoi(b);
|
||||
i = userkey_parse_line_counter(b);
|
||||
sfree(b);
|
||||
if (i < 0)
|
||||
goto error;
|
||||
public_blob = strbuf_new();
|
||||
if (!read_blob(fp, i, BinarySink_UPCAST(public_blob)))
|
||||
goto error;
|
||||
@ -676,8 +702,10 @@ ssh2_userkey *ssh2_load_userkey(
|
||||
goto error;
|
||||
if ((b = read_body(fp)) == NULL)
|
||||
goto error;
|
||||
i = atoi(b);
|
||||
i = userkey_parse_line_counter(b);
|
||||
sfree(b);
|
||||
if (i < 0)
|
||||
goto error;
|
||||
private_blob = strbuf_new_nm();
|
||||
if (!read_blob(fp, i, BinarySink_UPCAST(private_blob)))
|
||||
goto error;
|
||||
@ -1106,8 +1134,10 @@ bool ssh2_userkey_loadpub(const Filename *filename, char **algorithm,
|
||||
goto error;
|
||||
if ((b = read_body(fp)) == NULL)
|
||||
goto error;
|
||||
i = atoi(b);
|
||||
i = userkey_parse_line_counter(b);
|
||||
sfree(b);
|
||||
if (i < 0)
|
||||
goto error;
|
||||
if (!read_blob(fp, i, bs))
|
||||
goto error;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user