On Sat, 25 Apr 2020, Michael Forney wrote: > This matches the other do_convert_* functions, which also cannot > fail. Otherwise, ssh-keygen will crash when it tries to check the > key type before writing it to stdout. > > For example, if I corrupt the key magic: > > $ sed 's,^P2/5,AAAA,' regress/rsa_ssh2.prv > bad.prv && chmod 600 bad.prv > $ ssh-keygen -i -f bad.prv > bad magic 0xeb != 0x3f6ff9eb > Segmentation fault > $ I just committed a different fix - thanks diff --git a/ssh-keygen.c b/ssh-keygen.c index 526b57f..a046c04 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -653,9 +653,10 @@ do_convert_from_ssh2(struct passwd *pw, struct sshkey **k, int *private) encoded[len-3] = '\0'; if ((r = sshbuf_b64tod(buf, encoded)) != 0) fatal("%s: base64 decoding failed: %s", __func__, ssh_err(r)); - if (*private) - *k = do_convert_private_ssh2(buf); - else if ((r = sshkey_fromb(buf, k)) != 0) + if (*private) { + if ((*k = do_convert_private_ssh2(buf)) == NULL) + fatal("%s: private key conversion failed", __func__); + } else if ((r = sshkey_fromb(buf, k)) != 0) fatal("decode blob failed: %s", ssh_err(r)); sshbuf_free(buf); fclose(fp); _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev