pki: Fix random memory corruption

Fixes T78 Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-06-29 09:22:26 +02:00 · 2018-06-29 09:22:26 +02:00 · 1444ae5add
--- a/src/pki.c
+++ b/src/pki.c
@ -1084,7 +1084,7 @@ int ssh_pki_import_pubkey_file(const char *filename, ssh_key *pkey)
    key_buf[size] = '\0';

    q = p = key_buf;
-    while (!isspace((int)*p)) p++;
+    while (*p != '\0' && !isspace((int)*p)) p++;
    *p = '\0';

    type = ssh_key_type_from_name(q);
@ -1093,7 +1093,7 @@ int ssh_pki_import_pubkey_file(const char *filename, ssh_key *pkey)
        return SSH_ERROR;
    }
    q = ++p;
-    while (!isspace((int)*p)) p++;
+    while (*p != '\0' && !isspace((int)*p)) p++;
    *p = '\0';

    rc = ssh_pki_import_pubkey_base64(q, type, pkey);
--- a/tests/torture_key.c
+++ b/tests/torture_key.c
@ -170,8 +170,7 @@ static const char torture_dsa_public_testkey[] =
        "AQDM+JcO6XTMdyXTKIo+tGsuA0kd4pxPol+UGeAruNBEhVSDcXfXTh9tVravBqeIuX"
        "gZIFk9cylR2eDwAAAIB4roDQBfgf8AoSAJAb7y8OVvxt5cT7iqaRMQX2XgtW09Nu9R"
        "bUIVS7n2mw3iqZG0xnG3iv1oL9gwNXMLlf+gLmsqU3788jaEZ9IhZ8VdgHAoHm6UWM"
-        "7b2uADmhirI6dRZUVO+/iMGUvDxa66OI4hDV055pbwQhtxupUatThyDzIg== "
-        "aris@aris-air\n";
+        "7b2uADmhirI6dRZUVO+/iMGUvDxa66OI4hDV055pbwQhtxupUatThyDzIg==\n";

 static const char torture_dsa_testkey_cert[] =
        "ssh-dss-cert-v01@openssh.com AAAAHHNzaC1kc3MtY2VydC12MDFAb3BlbnNza"
--- a/tests/unittests/torture_pki_rsa.c
+++ b/tests/unittests/torture_pki_rsa.c
@ -31,6 +31,8 @@ static int setup_rsa_key(void **state)
                       torture_get_testkey(SSH_KEYTYPE_RSA, 0, 1));
    torture_write_file(LIBSSH_RSA_TESTKEY ".pub",
                       torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0));
+    torture_write_file(LIBSSH_RSA_TESTKEY ".pub",
+                       torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0));
    torture_write_file(LIBSSH_RSA_TESTKEY "-cert.pub",
                       torture_get_testkey_pub(SSH_KEYTYPE_RSA_CERT01, 0));

@ -48,6 +50,21 @@ static int teardown(void **state) {
    return 0;
 }

+static void torture_pki_rsa_import_pubkey_file(void **state)
+{
+    ssh_key pubkey = NULL;
+    int rc;
+
+    (void)state;
+
+    /* The key doesn't have the hostname as comment after the key */
+    rc = ssh_pki_import_pubkey_file(LIBSSH_RSA_TESTKEY ".pub", &pubkey);
+    assert_return_code(rc, errno);
+    assert_non_null(pubkey);
+
+    ssh_key_free(pubkey);
+}
+
 static void torture_pki_rsa_import_privkey_base64_NULL_key(void **state)
 {
    int rc;
@ -546,6 +563,9 @@ static void torture_pki_rsa_import_privkey_base64_passphrase(void **state)
 int torture_run_tests(void) {
    int rc;
    struct CMUnitTest tests[] = {
+        cmocka_unit_test_setup_teardown(torture_pki_rsa_import_pubkey_file,
+                                        setup_rsa_key,
+                                        teardown),
        cmocka_unit_test_setup_teardown(torture_pki_rsa_import_privkey_base64_NULL_key,
                                        setup_rsa_key,
                                        teardown),