fix NULL pointer dereference crash in key loading

found by Michal Zalewski's AFL fuzzer
author: djm <djm@openbsd.org> 2014-11-18 01:02:25 +0000
committer: djm <djm@openbsd.org> 2014-11-18 01:02:25 +0000
commit: 2cec05c0cb9d954a6b2d78afa2d97b8052663213 (patch)
tree: 603af8d21f8addafc44b8d0a34069637a2d2c311 /usr.bin/ssh/sshkey.c
parent: partial sync (diff)
download: wireguard-openbsd-2cec05c0cb9d954a6b2d78afa2d97b8052663213.tar.xz
wireguard-openbsd-2cec05c0cb9d954a6b2d78afa2d97b8052663213.zip
1 files changed, 3 insertions, 5 deletions
diff --git a/usr.bin/ssh/sshkey.c b/usr.bin/ssh/sshkey.c
index 6e6e3dd350a..f0540db1f35 100644
--- a/usr.bin/ssh/sshkey.c
+++ b/usr.bin/ssh/sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.4 2014/10/08 21:45:48 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.5 2014/11/18 01:02:25 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@@ -1207,9 +1207,7 @@ sshkey_read(struct sshkey *ret, char **cpp)
 		cp = space+1;
 		if (*cp == '\0')
 			return SSH_ERR_INVALID_FORMAT;
-		if (ret->type == KEY_UNSPEC) {
-			ret->type = type;
-		} else if (ret->type != type)
+		if (ret->type != KEY_UNSPEC && ret->type != type)
 			return SSH_ERR_KEY_TYPE_MISMATCH;
 		if ((blob = sshbuf_new()) == NULL)
 			return SSH_ERR_ALLOC_FAIL;
@@ -1236,7 +1234,7 @@ sshkey_read(struct sshkey *ret, char **cpp)
 			sshkey_free(k);
 			return SSH_ERR_EC_CURVE_MISMATCH;
 		}
-/*XXXX*/
+		ret->type = type;
 		if (sshkey_is_cert(ret)) {
 			if (!sshkey_is_cert(k)) {
 				sshkey_free(k);
author	djm <djm@openbsd.org>	2014-11-18 01:02:25 +0000
committer	djm <djm@openbsd.org>	2014-11-18 01:02:25 +0000
commit	2cec05c0cb9d954a6b2d78afa2d97b8052663213 (patch)
tree	603af8d21f8addafc44b8d0a34069637a2d2c311 /usr.bin/ssh/sshkey.c
parent	partial sync (diff)
download	wireguard-openbsd-2cec05c0cb9d954a6b2d78afa2d97b8052663213.tar.xz wireguard-openbsd-2cec05c0cb9d954a6b2d78afa2d97b8052663213.zip