#267: file_read_publickey access violation
-------------------------------------------------+-------------------------
Reporter: wimvdh | Owner:
Type: defect | Status: new
Priority: blocker | Milestone: 1.4.3
Component: SFTP | Version: 1.4.2
Keywords: file_read_publickey access | Blocked By:
violation sp1 crash |
Blocks: |
-------------------------------------------------+-------------------------
file_read_publickey:
{{{
if ((sp1 = memchr(pubkey, ' ', pubkey_len)) == NULL) {
LIBSSH2_FREE(session, pubkey);
return _libssh2_error(session, LIBSSH2_ERROR_FILE,
"Invalid public key data");
}
sp1++;
if ((sp2 = memchr(sp1, ' ', pubkey_len - (sp1 - pubkey - 1))) == NULL)
{
/* Assume that the id string is missing, but that it's okay */
sp2 = pubkey + pubkey_len;
}
}}}
The memchr sometimes gives an access violation when the last char in
pubkey is at the end of the memory block.
Problem here is that sp1 already points to the char after the space, which
means "pubkey_len - (sp1 - pubkey - 1)" gives a length which goes 1 past
the length of the buffer.
Example:
Key is 208 long. (pubkey_len)
Space is at position 7. (sp1)
Increment by one is position 8 (sp1++)
208 - (8 - 0 - 1) = 201.
Reading 201 while there are only 200 chars left to read.
-- Ticket URL: <https://trac.libssh2.org/ticket/267> libssh2 <https://trac.libssh2.org/> C library for writing portable SSH2 clients _______________________________________________ libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-develReceived on 2013-07-13