From 1444ae5add315df23a20db48474b1e357b0385e0 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Fri, 29 Jun 2018 09:22:26 +0200
Subject: [PATCH] pki: Fix random memory corruption

Fixes T78

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/pki.c                         |  4 ++--
 tests/torture_key.c               |  3 +--
 tests/unittests/torture_pki_rsa.c | 20 ++++++++++++++++++++
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/src/pki.c b/src/pki.c
index d2e6f61c..157a3496 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -1084,7 +1084,7 @@ int ssh_pki_import_pubkey_file(const char *filename, ssh_key *pkey)
     key_buf[size] = '\0';
 
     q = p = key_buf;
-    while (!isspace((int)*p)) p++;
+    while (*p != '\0' && !isspace((int)*p)) p++;
     *p = '\0';
 
     type = ssh_key_type_from_name(q);
@@ -1093,7 +1093,7 @@ int ssh_pki_import_pubkey_file(const char *filename, ssh_key *pkey)
         return SSH_ERROR;
     }
     q = ++p;
-    while (!isspace((int)*p)) p++;
+    while (*p != '\0' && !isspace((int)*p)) p++;
     *p = '\0';
 
     rc = ssh_pki_import_pubkey_base64(q, type, pkey);
diff --git a/tests/torture_key.c b/tests/torture_key.c
index a52fcdac..c0ec845a 100644
--- a/tests/torture_key.c
+++ b/tests/torture_key.c
@@ -170,8 +170,7 @@ static const char torture_dsa_public_testkey[] =
         "AQDM+JcO6XTMdyXTKIo+tGsuA0kd4pxPol+UGeAruNBEhVSDcXfXTh9tVravBqeIuX"
         "gZIFk9cylR2eDwAAAIB4roDQBfgf8AoSAJAb7y8OVvxt5cT7iqaRMQX2XgtW09Nu9R"
         "bUIVS7n2mw3iqZG0xnG3iv1oL9gwNXMLlf+gLmsqU3788jaEZ9IhZ8VdgHAoHm6UWM"
-        "7b2uADmhirI6dRZUVO+/iMGUvDxa66OI4hDV055pbwQhtxupUatThyDzIg== "
-        "aris@aris-air\n";
+        "7b2uADmhirI6dRZUVO+/iMGUvDxa66OI4hDV055pbwQhtxupUatThyDzIg==\n";
 
 static const char torture_dsa_testkey_cert[] =
         "ssh-dss-cert-v01@openssh.com AAAAHHNzaC1kc3MtY2VydC12MDFAb3BlbnNza"
diff --git a/tests/unittests/torture_pki_rsa.c b/tests/unittests/torture_pki_rsa.c
index 54e459f9..1f4f8402 100644
--- a/tests/unittests/torture_pki_rsa.c
+++ b/tests/unittests/torture_pki_rsa.c
@@ -31,6 +31,8 @@ static int setup_rsa_key(void **state)
                        torture_get_testkey(SSH_KEYTYPE_RSA, 0, 1));
     torture_write_file(LIBSSH_RSA_TESTKEY ".pub",
                        torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0));
+    torture_write_file(LIBSSH_RSA_TESTKEY ".pub",
+                       torture_get_testkey_pub(SSH_KEYTYPE_RSA, 0));
     torture_write_file(LIBSSH_RSA_TESTKEY "-cert.pub",
                        torture_get_testkey_pub(SSH_KEYTYPE_RSA_CERT01, 0));
 
@@ -48,6 +50,21 @@ static int teardown(void **state) {
     return 0;
 }
 
+static void torture_pki_rsa_import_pubkey_file(void **state)
+{
+    ssh_key pubkey = NULL;
+    int rc;
+
+    (void)state;
+
+    /* The key doesn't have the hostname as comment after the key */
+    rc = ssh_pki_import_pubkey_file(LIBSSH_RSA_TESTKEY ".pub", &pubkey);
+    assert_return_code(rc, errno);
+    assert_non_null(pubkey);
+
+    ssh_key_free(pubkey);
+}
+
 static void torture_pki_rsa_import_privkey_base64_NULL_key(void **state)
 {
     int rc;
@@ -546,6 +563,9 @@ static void torture_pki_rsa_import_privkey_base64_passphrase(void **state)
 int torture_run_tests(void) {
     int rc;
     struct CMUnitTest tests[] = {
+        cmocka_unit_test_setup_teardown(torture_pki_rsa_import_pubkey_file,
+                                        setup_rsa_key,
+                                        teardown),
         cmocka_unit_test_setup_teardown(torture_pki_rsa_import_privkey_base64_NULL_key,
                                         setup_rsa_key,
                                         teardown),