Subject: [libssh2] #267: file_read_publickey access violation

[libssh2] #267: file_read_publickey access violation

From: libssh2 Trac <trac_at_libssh2.stuge.se>
Date: Fri, 12 Jul 2013 22:52:03 -0000

#267: file_read_publickey access violation
-------------------------------------------------+-------------------------
 Reporter: wimvdh | Owner:
     Type: defect | Status: new
 Priority: blocker | Milestone: 1.4.3
Component: SFTP | Version: 1.4.2
 Keywords: file_read_publickey access | Blocked By:
  violation sp1 crash |
   Blocks: |
-------------------------------------------------+-------------------------
 file_read_publickey:

 {{{
     if ((sp1 = memchr(pubkey, ' ', pubkey_len)) == NULL) {
         LIBSSH2_FREE(session, pubkey);
         return _libssh2_error(session, LIBSSH2_ERROR_FILE,
                               "Invalid public key data");
     }

     sp1++;

     if ((sp2 = memchr(sp1, ' ', pubkey_len - (sp1 - pubkey - 1))) == NULL)
 {
         /* Assume that the id string is missing, but that it's okay */
         sp2 = pubkey + pubkey_len;
     }

 }}}

 The memchr sometimes gives an access violation when the last char in
 pubkey is at the end of the memory block.
 Problem here is that sp1 already points to the char after the space, which
 means "pubkey_len - (sp1 - pubkey - 1)" gives a length which goes 1 past
 the length of the buffer.

 Example:
 Key is 208 long. (pubkey_len)
 Space is at position 7. (sp1)
 Increment by one is position 8 (sp1++)
 208 - (8 - 0 - 1) = 201.
 Reading 201 while there are only 200 chars left to read.

-- 
Ticket URL: <https://trac.libssh2.org/ticket/267>
libssh2 <https://trac.libssh2.org/>
C library for writing portable SSH2 clients
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2013-07-13