Skip to content

libssh2_userauth_publickey_frommemory() may fail nondeterministically due to incorrect use of strlen() #773

New issue
New issue
Closed
#1143
Closed
libssh2_userauth_publickey_frommemory() may fail nondeterministically due to incorrect use of strlen()#773
#1143
Labels
bug
@mike-jumper

Description

@mike-jumper
mike-jumper
opened on Nov 16, 2022

The libssh2_userauth_publickey_frommemory() function accepts private key data in the form of an arbitrary buffer and its length. From the documentation for libssh2_userauth_publickey_frommemory():

privatekeydata - Buffer containing the contents of a private key file.
privatekeydata_len - Length of private key data.

... but that buffer is passed down the chain via the filename member of a struct privkey_file:

libssh2/src/userauth.c

Lines 1815 to 1820 in f6694be

struct privkey_file privkey_file;
void *abstract = &privkey_file;
int rc;
privkey_file.filename = privatekeydata;
privkey_file.passphrase = passphrase;

When that buffer is ultimately processed by sign_frommemory(), the originally-provided buffer length has been effectively discarded, and its length is instead calculated as if it were a string using strlen():

libssh2/src/userauth.c

Lines 830 to 835 in f6694be

rc = memory_read_privatekey(session, &privkeyobj, &hostkey_abstract,
session->userauth_pblc_method,
session->userauth_pblc_method_len,
pk_file->filename,
strlen(pk_file->filename),
pk_file->passphrase);

Depending on the size of the block and memory garbage, this will overread the buffer and give nondeterministic results.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions