Fix crash while reading unsupported ssh keys.

This bug was found by n-roeser at gmx.net
(gnupg-devel@, msgid 4DFC7298.4040509@gmx.net).

2 files changed, 11 insertions, 12 deletions

diff --git a/agent/ChangeLog b/agent/ChangeLog
index 95609cb3d..e1becac51 100644
--- a/agent/ChangeLog
+++ b/agent/ChangeLog
@@ -1,3 +1,8 @@
+2011-07-22  Werner Koch  <wk@g10code.com>
+
+	* command-ssh.c (ssh_receive_key): Do not init comment to an empty
+	static string; in the error case it would be freed.
+
 2011-07-20  Werner Koch  <wk@g10code.com>
 
 	* command.c (do_one_keyinfo, cmd_keyinfo): Support option --ssh-fpr.
diff --git a/agent/command-ssh.c b/agent/command-ssh.c
index 3fef83ec3..ae193ec94 100644
--- a/agent/command-ssh.c
+++ b/agent/command-ssh.c
@@ -1409,18 +1409,13 @@ ssh_receive_key (estream_t stream, gcry_sexp_t *key_new, int secret,
                  int read_comment, ssh_key_type_spec_t *key_spec)
 {
   gpg_error_t err;
-  char *key_type;
-  char *comment;
-  gcry_sexp_t key;
+  char *key_type = NULL;
+  char *comment = NULL;
+  gcry_sexp_t key = NULL;
   ssh_key_type_spec_t spec;
-  gcry_mpi_t *mpi_list;
+  gcry_mpi_t *mpi_list = NULL;
   const char *elems;
 
-  mpi_list = NULL;
-  key_type = NULL;
-  comment = "";
-  key = NULL;
-
   err = stream_read_cstring (stream, &key_type);
   if (err)
     goto out;
@@ -1452,7 +1447,7 @@ ssh_receive_key (estream_t stream, gcry_sexp_t *key_new, int secret,
 	goto out;
     }
 
-  err = sexp_key_construct (&key, spec, secret, mpi_list, comment);
+  err = sexp_key_construct (&key, spec, secret, mpi_list, comment? comment:"");
   if (err)
     goto out;
 
@@ -1464,8 +1459,7 @@ ssh_receive_key (estream_t stream, gcry_sexp_t *key_new, int secret,
 
   mpint_list_free (mpi_list);
   xfree (key_type);
-  if (read_comment)
-    xfree (comment);
+  xfree (comment);
 
   return err;
 }