1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 01:02:24 +00:00

Sanity-check the 'Public-Lines' field in ppk files.

If it's too large, memory allocation can fail, or worse,
under-allocate due to integer overflow.
This commit is contained in:
Simon Tatham 2019-01-19 07:40:07 +00:00
parent baa04337a4
commit 63a58759b5

View File

@ -24,6 +24,18 @@
static int key_type_fp(FILE *fp); static int key_type_fp(FILE *fp);
/*
* Fairly arbitrary size limit on any public or private key blob.
* Chosen to match AGENT_MAX_MSGLEN, on the basis that any key too
* large to transfer over the ssh-agent protocol is probably too large
* to be useful in general.
*
* MAX_KEY_BLOB_LINES is the corresponding limit on the Public-Lines
* or Private-Lines header field in a key file.
*/
#define MAX_KEY_BLOB_SIZE 262144
#define MAX_KEY_BLOB_LINES (MAX_KEY_BLOB_SIZE / 48)
static int rsa_ssh1_load_main(FILE * fp, RSAKey *key, bool pub_only, static int rsa_ssh1_load_main(FILE * fp, RSAKey *key, bool pub_only,
char **commentptr, const char *passphrase, char **commentptr, const char *passphrase,
const char **error) const char **error)
@ -514,7 +526,9 @@ static bool read_blob(FILE *fp, int nlines, BinarySink *bs)
int i, j, k; int i, j, k;
/* We expect at most 64 base64 characters, ie 48 real bytes, per line. */ /* We expect at most 64 base64 characters, ie 48 real bytes, per line. */
assert(nlines < MAX_KEY_BLOB_LINES);
blob = snewn(48 * nlines, unsigned char); blob = snewn(48 * nlines, unsigned char);
for (i = 0; i < nlines; i++) { for (i = 0; i < nlines; i++) {
line = read_body(fp); line = read_body(fp);
if (!line) { if (!line) {
@ -584,6 +598,16 @@ static void ssh2_ppk_derivekey(ptrlen passphrase, uint8_t *key)
ssh_hash_final(h, key + 20); ssh_hash_final(h, key + 20);
} }
static int userkey_parse_line_counter(const char *text)
{
char *endptr;
unsigned long ul = strtoul(text, &endptr, 10);
if (*text && !*endptr && ul < MAX_KEY_BLOB_LINES)
return ul;
else
return -1;
}
ssh2_userkey *ssh2_load_userkey( ssh2_userkey *ssh2_load_userkey(
const Filename *filename, const char *passphrase, const char **errorstr) const Filename *filename, const char *passphrase, const char **errorstr)
{ {
@ -665,8 +689,10 @@ ssh2_userkey *ssh2_load_userkey(
goto error; goto error;
if ((b = read_body(fp)) == NULL) if ((b = read_body(fp)) == NULL)
goto error; goto error;
i = atoi(b); i = userkey_parse_line_counter(b);
sfree(b); sfree(b);
if (i < 0)
goto error;
public_blob = strbuf_new(); public_blob = strbuf_new();
if (!read_blob(fp, i, BinarySink_UPCAST(public_blob))) if (!read_blob(fp, i, BinarySink_UPCAST(public_blob)))
goto error; goto error;
@ -676,8 +702,10 @@ ssh2_userkey *ssh2_load_userkey(
goto error; goto error;
if ((b = read_body(fp)) == NULL) if ((b = read_body(fp)) == NULL)
goto error; goto error;
i = atoi(b); i = userkey_parse_line_counter(b);
sfree(b); sfree(b);
if (i < 0)
goto error;
private_blob = strbuf_new_nm(); private_blob = strbuf_new_nm();
if (!read_blob(fp, i, BinarySink_UPCAST(private_blob))) if (!read_blob(fp, i, BinarySink_UPCAST(private_blob)))
goto error; goto error;
@ -1106,8 +1134,10 @@ bool ssh2_userkey_loadpub(const Filename *filename, char **algorithm,
goto error; goto error;
if ((b = read_body(fp)) == NULL) if ((b = read_body(fp)) == NULL)
goto error; goto error;
i = atoi(b); i = userkey_parse_line_counter(b);
sfree(b); sfree(b);
if (i < 0)
goto error;
if (!read_blob(fp, i, bs)) if (!read_blob(fp, i, bs))
goto error; goto error;