[openssh-commits] [openssh] 01/01: upstream commit

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit d2d51003a623e21fb2b25567c4878d915e90aa2a
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Tue Nov 18 01:02:25 2014 +0000

    upstream commit
    
    fix NULL pointer dereference crash in key loading
    
    found by Michal Zalewski's AFL fuzzer
---
 sshkey.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/sshkey.c b/sshkey.c
index cbf3c2d..6981738 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.4 2014/10/08 21:45:48 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.5 2014/11/18 01:02:25 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@@ -1233,9 +1233,7 @@ sshkey_read(struct sshkey *ret, char **cpp)
 		cp = space+1;
 		if (*cp == '\0')
 			return SSH_ERR_INVALID_FORMAT;
-		if (ret->type == KEY_UNSPEC) {
-			ret->type = type;
-		} else if (ret->type != type)
+		if (ret->type != KEY_UNSPEC && ret->type != type)
 			return SSH_ERR_KEY_TYPE_MISMATCH;
 		if ((blob = sshbuf_new()) == NULL)
 			return SSH_ERR_ALLOC_FAIL;
@@ -1262,7 +1260,7 @@ sshkey_read(struct sshkey *ret, char **cpp)
 			sshkey_free(k);
 			return SSH_ERR_EC_CURVE_MISMATCH;
 		}
-/*XXXX*/
+		ret->type = type;
 		if (sshkey_is_cert(ret)) {
 			if (!sshkey_is_cert(k)) {
 				sshkey_free(k);

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.