From 7dc2bfac94834c5d1977f425e0a986777f3bb211 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 20 Jun 2010 00:23:28 +0200
Subject: [PATCH] _libssh2_userauth_publickey: reject method names longer than
 the data

This functions get the method length by looking at the first 32
bit of data, and I now made it not accept method lengths that are
longer than the whole data set is, as given in the dedicated
function argument.

This was detected when the function was given bogus public key
data as an ascii string, which caused the first 32bits to create
a HUGE number.
---
 src/userauth.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/userauth.c b/src/userauth.c
index b02031f..36f5943 100644
--- a/src/userauth.c
+++ b/src/userauth.c
@@ -439,7 +439,7 @@ libssh2_userauth_password_ex(LIBSSH2_SESSION *session, const char *username,
  *
  * Read a public key from an id_???.pub style file
  *
- * Returns an allocated string containing the decoded key in *pubkeydata 
+ * Returns an allocated string containing the decoded key in *pubkeydata
  * on success.
  * Returns an allocated string containing the key method (e.g. "ssh-dss")
  * in method on success.
@@ -890,13 +890,22 @@ _libssh2_userauth_publickey(LIBSSH2_SESSION *session,
                sizeof(session->userauth_pblc_packet_requirev_state));
 
         /*
-         * As an optimisation, userauth_publickey_fromfile reuses a 
+         * As an optimisation, userauth_publickey_fromfile reuses a
          * previously allocated copy of the method name to avoid an extra
          * allocation/free.
          * For other uses, we allocate and populate it here.
          */
         if (!session->userauth_pblc_method) {
             session->userauth_pblc_method_len = _libssh2_ntohu32(pubkeydata);
+
+            if(session->userauth_pblc_method_len > pubkeydata_len)
+                /* the method length simply cannot be longer than the entire
+                   passed in data, so we use this to detect crazy input
+                   data */
+                return _libssh2_error(session,
+                                      LIBSSH2_ERROR_PUBLICKEY_UNVERIFIED,
+                                      "Invalid public key");
+
             session->userauth_pblc_method =
                 LIBSSH2_ALLOC(session, session->userauth_pblc_method_len);
             if (!session->userauth_pblc_method) {