avoid NULL deref via ssh-keygen -Y find-principals. bz3409, reported

by Mateusz Adamowski

diff --git a/usr.bin/ssh/sshsig.c b/usr.bin/ssh/sshsig.c
index 8c64b99..56cd59a 100644 (file)
--- a/usr.bin/ssh/sshsig.c
+++ b/usr.bin/ssh/sshsig.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshsig.c,v 1.28 2022/02/01 23:34:47 djm Exp $ */
+/* $OpenBSD: sshsig.c,v 1.29 2022/03/30 04:27:51 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -737,7 +737,7 @@ parse_principals_key_and_options(const char *path, u_long linenum, char *line,
                return SSH_ERR_KEY_NOT_FOUND; /* blank or all-comment line */
 
        /* format: identity[,identity...] [option[,option...]] key */
-       if ((tmp = strdelimw(&cp)) == NULL) {
+       if ((tmp = strdelimw(&cp)) == NULL || cp == NULL) {
                error("%s:%lu: invalid line", path, linenum);
                r = SSH_ERR_INVALID_FORMAT;
                goto out;
@@ -775,6 +775,11 @@ parse_principals_key_and_options(const char *path, u_long linenum, char *line,
                        r = SSH_ERR_INVALID_FORMAT;
                        goto out;
                }
+               if (cp == NULL || *cp == '\0') {
+                       error("%s:%lu: missing key", path, linenum);
+                       r = SSH_ERR_INVALID_FORMAT;
+                       goto out;
+               }
                *cp++ = '\0';
                skip_space(&cp);
                if (sshkey_read(key, &cp) != 0) {