927bee3692
The ssh_custom_free() function was calling strlen() on binary public key data, causing a heap buffer overflow when the data wasn't null-terminated. It also caused keys with null bytes in them to be not cleared completely. This patch uses the stored publickey_len field instead of strlen() to determine the correct buffer size for zeroing memory. This fix has been published in https://github.com/libgit2/libgit2/pull/7146 Nix uses libgit2, but not the libssh2 integration. Other applications may be affected, and need this fix.
32 lines
1.3 KiB
Diff
32 lines
1.3 KiB
Diff
commit 4277cc75bc147d0af6ffddc7db96f48492977968
|
|
Author: bakersdozen123 <taunts_bakers_3r@icloud.com>
|
|
Date: Sat Oct 11 09:56:48 2025 -0700
|
|
|
|
ssh: fix custom ssh heap buffer overflow
|
|
|
|
The `ssh_custom_free()` function calls `strlen()` on the `publickey`
|
|
field, which stores binary data, not a null-terminated string. This
|
|
causes a heap buffer overflow when the public key data is not
|
|
null-terminated or contains embedded null bytes.
|
|
|
|
The `publickey` field stores binary data, as required by the underlying
|
|
`libssh2_userauth_publickey()` function, which accepts a public key
|
|
parameter of the type `const unsigned char*`.
|
|
|
|
Use the stored `publickey_len` instead of `strlen()` to determine the
|
|
correct buffer size.
|
|
|
|
diff --git a/src/libgit2/transports/credential.c b/src/libgit2/transports/credential.c
|
|
index b47bd63a1..7d0eacecf 100644
|
|
--- a/src/libgit2/transports/credential.c
|
|
+++ b/src/libgit2/transports/credential.c
|
|
@@ -161,7 +161,7 @@ static void ssh_custom_free(struct git_credential *cred)
|
|
|
|
if (c->publickey) {
|
|
/* Zero the memory which previously held the publickey */
|
|
- size_t key_len = strlen(c->publickey);
|
|
+ size_t key_len = c->publickey_len;
|
|
git__memzero(c->publickey, key_len);
|
|
git__free(c->publickey);
|
|
}
|