Fix an erroneous length field in SSH-1 key load.

We incremented buf by a few bytes, so we must decrement the
corresponding length by the same amount, or else makekey() could
overrun.

Thanks to Patrick Coleman for the patch.

diff --git a/sshpubk.c b/sshpubk.c
index 87f1ebf3db179abbbec1c5fa996e3cb3505d49b3..74cf1080373ae02d8277602f18ca79ecbdbc7f91 100644 (file)
--- a/sshpubk.c
+++ b/sshpubk.c
@@ -67,7 +67,7 @@ static int loadrsakey_main(FILE * fp, struct RSAKey *key, int pub_only,
     i += 4;
 
     /* Now the serious stuff. An ordinary SSH-1 public key. */
-    j = makekey(buf + i, len, key, NULL, 1);
+    j = makekey(buf + i, len - i, key, NULL, 1);
     if (j < 0)
        goto end;                      /* overran */
     i += j;