ssh_pki_import_pubkey_file() will randomly corrupt memory
Open, HighPublic

Description

ssh_pki_import_pubkey_file expects the public key to be in the following format, containing two spaces:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/LFXLaKKdBsX1XE8Kd80uWX0WV13Ztumpga4qY1kk5ww+O/FRk46zfxpf6Wju1/C3EKhRtByQxV9RWbgQF+er2i1py23KJAkQkECWXJEffxhasT76tSAs5W2S7gzCefYXw0PV4rwr4WXOzz03tMHPOAw2ZMl+Go8W2GlGGlODH+UllGjIn0UrYKPsZLrxx0mnpiRk4YJatPHGO7YzlUOdfa8CjF4Up2LipB3upY+euDSJlnDLMHOoskRtZJQzwsappkogGWewAuHS1o9gFQH/D6VJsqKTSwZ0wubXJq3IHPZstLz4Tfs8JnHW3vmZb4oZwhfQlokZEnEe5fBzWH1B user@host

However, it is legal to not include the user@host at the end of the public key, like this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/LFXLaKKdBsX1XE8Kd80uWX0WV13Ztumpga4qY1kk5ww+O/FRk46zfxpf6Wju1/C3EKhRtByQxV9RWbgQF+er2i1py23KJAkQkECWXJEffxhasT76tSAs5W2S7gzCefYXw0PV4rwr4WXOzz03tMHPOAw2ZMl+Go8W2GlGGlODH+UllGjIn0UrYKPsZLrxx0mnpiRk4YJatPHGO7YzlUOdfa8CjF4Up2LipB3upY+euDSJlnDLMHOoskRtZJQzwsappkogGWewAuHS1o9gFQH/D6VJsqKTSwZ0wubXJq3IHPZstLz4Tfs8JnHW3vmZb4oZwhfQlokZEnEe5fBzWH1B

On key import, it keeps doing this until the next space after the key data is found:

q = ++p;
while (!isspace((int)*p)) p++;
*p = '\0';

So a random NULL byte is entered into memory because there is no space.

The walk should at least be constrained by the size of the key imported.

nickb937 created this task.Dec 5 2017, 12:13 PM
asn claimed this task.Dec 21 2017, 12:43 PM
asn triaged this task as High priority.