From 8005738eaf7c8a0d13509e1606601cf799f00dd2 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Sat, 10 Aug 2024 13:39:17 +0100
Subject: [PATCH] Fix infinite loop on a truncated RFC4176 public key file.

You could reproduce this, for example, by cutting the final line
reading "---- END SSH2 PUBLIC KEY ----" off the end of a file, and
feeding it to Unix 'puttygen -l'.

rfc4716_loadpub() was looping round on get_chomped_line() until it
found a line starting with "-" after the base64 data. But it failed to
check for the end of the file as well, so if the data was truncated,
it would just keep spinning at the end of the file.
---
 sshpubk.c          |  2 ++
 test/cryptsuite.py | 30 ++++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/sshpubk.c b/sshpubk.c
index afa1e4a9..0b3b922a 100644
--- a/sshpubk.c
+++ b/sshpubk.c
@@ -1096,6 +1096,8 @@ static bool rfc4716_loadpub(BinarySource *src, char **algorithm,
             }
         }
         sfree(line); line = NULL;
+        if (!get_avail(src))
+            break;
         line = mkstr(get_chomped_line(src));
     }
 
diff --git a/test/cryptsuite.py b/test/cryptsuite.py
index 78751965..5cdba58e 100755
--- a/test/cryptsuite.py
+++ b/test/cryptsuite.py
@@ -2949,6 +2949,36 @@ Private-MAC: 5b1f6f4cc43eb0060d2c3e181bc0129343adba2b
             self.assertEqual(rsa1_save_sb(k2, comment, pp),
                              input_encrypted_key)
 
+    def testRFC4716(self):
+        key = """\
+---- BEGIN SSH2 PUBLIC KEY ----
+Comment: "rsa-key-20240810"
+AAAAB3NzaC1yc2EAAAADAQABAAABAQCKdLtvsewMpsbWQCNs8VOWKlh6eQT0gzbc
+IoDLFPk5uVS1HjAEEjIZaXAB86PHTeJhkwEMlMXZ8mUZwAcZkuqKVCSib/VkuMEv
+wXa4cOf70XMBUtUgRJ5bJRMsA8PNkZN/OQHyyBLgTXGoFPWq73A3fxPZIe8BSAN+
+mPuILX1GHUKbBzT56xRNwB5nHkg0MStEotkIzg3xRNIXB9qyP6ILO4Qax2n7+XJS
+lmzr0KDJq5ZNSEZV4IprvAYBeEtvdBfLrRM4kifpVDE7ZrVXtKOIGDsxdEEBeqqy
+LzN/Ly+uECsga2hoc+P/ZHMULMZkCfrOyWdeXz7BR/acLZJoT579
+---- END SSH2 PUBLIC KEY ----
+"""
+
+        comment = b"rsa-key-20240810"
+        public_blob = b64("""
+AAAAB3NzaC1yc2EAAAADAQABAAABAQCKdLtvsewMpsbWQCNs8VOWKlh6eQT0gzbc
+IoDLFPk5uVS1HjAEEjIZaXAB86PHTeJhkwEMlMXZ8mUZwAcZkuqKVCSib/VkuMEv
+wXa4cOf70XMBUtUgRJ5bJRMsA8PNkZN/OQHyyBLgTXGoFPWq73A3fxPZIe8BSAN+
+mPuILX1GHUKbBzT56xRNwB5nHkg0MStEotkIzg3xRNIXB9qyP6ILO4Qax2n7+XJS
+lmzr0KDJq5ZNSEZV4IprvAYBeEtvdBfLrRM4kifpVDE7ZrVXtKOIGDsxdEEBeqqy
+LzN/Ly+uECsga2hoc+P/ZHMULMZkCfrOyWdeXz7BR/acLZJoT579
+""")
+
+        self.assertEqual(ppk_loadpub_s(key),
+                         (True, b'ssh-rsa', public_blob, comment, None))
+
+        self.assertEqual(ppk_loadpub_s(key[:len(key)//2]),
+                         (False, None, b'', None,
+                          b"invalid end line in SSH-2 public key file"))
+
     def testOpenSSHCert(self):
         def per_base_keytype_tests(alg, run_validation_tests=False,
                                    run_ca_rsa_tests=False, ca_signflags=None):