From d0f52bdb98c8c136784cedb78f20101899eea802 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 30 Mar 2022 04:27:51 +0000 Subject: [PATCH] avoid NULL deref via ssh-keygen -Y find-principals. bz3409, reported by Mateusz Adamowski --- usr.bin/ssh/sshsig.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/usr.bin/ssh/sshsig.c b/usr.bin/ssh/sshsig.c index 8c64b99c0f6..56cd59a3373 100644 --- a/usr.bin/ssh/sshsig.c +++ b/usr.bin/ssh/sshsig.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshsig.c,v 1.28 2022/02/01 23:34:47 djm Exp $ */ +/* $OpenBSD: sshsig.c,v 1.29 2022/03/30 04:27:51 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -737,7 +737,7 @@ parse_principals_key_and_options(const char *path, u_long linenum, char *line, return SSH_ERR_KEY_NOT_FOUND; /* blank or all-comment line */ /* format: identity[,identity...] [option[,option...]] key */ - if ((tmp = strdelimw(&cp)) == NULL) { + if ((tmp = strdelimw(&cp)) == NULL || cp == NULL) { error("%s:%lu: invalid line", path, linenum); r = SSH_ERR_INVALID_FORMAT; goto out; @@ -775,6 +775,11 @@ parse_principals_key_and_options(const char *path, u_long linenum, char *line, r = SSH_ERR_INVALID_FORMAT; goto out; } + if (cp == NULL || *cp == '\0') { + error("%s:%lu: missing key", path, linenum); + r = SSH_ERR_INVALID_FORMAT; + goto out; + } *cp++ = '\0'; skip_space(&cp); if (sshkey_read(key, &cp) != 0) { -- 2.20.1