upstream commit

fix three bugs in KRL code related to (unused) signature support: verification length was being incorrectly calculated, multiple signatures were being incorrectly processed and a NULL dereference that occurred when signatures were verified. Reported by Carl Jackson Upstream-ID: e705e97ad3ccce84291eaa651708dd1b9692576b
2024-12-22 18:02:20 +00:00 · 2015-12-31 00:33:52 +00:00 · 2015-12-31 00:33:52 +00:00 · 422d1b3ee9
commit 422d1b3ee9
parent 6074c84bf9
1 changed files with 3 additions and 4 deletions
--- a/krl.c
+++ b/krl.c
@ -14,7 +14,7 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $OpenBSD: krl.c,v 1.36 2015/12/11 04:21:12 mmcc Exp $ */
+/* $OpenBSD: krl.c,v 1.37 2015/12/31 00:33:52 djm Exp $ */

 #include "includes.h"

@ -1015,7 +1015,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
 		}
 		/* Check signature over entire KRL up to this point */
 		if ((r = sshkey_verify(key, blob, blen,
-		    sshbuf_ptr(buf), sshbuf_len(buf) - sig_off, 0)) != 0)
+		    sshbuf_ptr(buf), sig_off, 0)) != 0)
 			goto out;
 		/* Check if this key has already signed this KRL */
 		for (i = 0; i < nca_used; i++) {
@ -1036,7 +1036,6 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
 		ca_used = tmp_ca_used;
 		ca_used[nca_used++] = key;
 		key = NULL;
-		break;
 	}

 	if (sshbuf_len(copy) != 0) {
@ -1101,7 +1100,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
 			r = SSH_ERR_INVALID_FORMAT;
 			goto out;
 		}
-		if (sshbuf_len(sect) > 0) {
+		if (sect != NULL && sshbuf_len(sect) > 0) {
 			error("KRL section contains unparsed data");
 			r = SSH_ERR_INVALID_FORMAT;
 			goto out;