From 91ebc49fb9ba144b4c105222b5d91fc9d478e3ee Mon Sep 17 00:00:00 2001 From: bakersdozen123 Date: Sat, 11 Oct 2025 09:56:48 -0700 Subject: [PATCH] ssh: fix custom ssh heap buffer overflow The `ssh_custom_free()` function calls `strlen()` on the `publickey` field, which stores binary data, not a null-terminated string. This causes a heap buffer overflow when the public key data is not null-terminated or contains embedded null bytes. The `publickey` field stores binary data, as required by the underlying `libssh2_userauth_publickey()` function, which accepts a public key parameter of the type `const unsigned char*`. Use the stored `publickey_len` instead of `strlen()` to determine the correct buffer size. --- src/libgit2/transports/credential.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libgit2/transports/credential.c b/src/libgit2/transports/credential.c index b47bd63a1..7d0eacecf 100644 --- a/src/libgit2/transports/credential.c +++ b/src/libgit2/transports/credential.c @@ -161,7 +161,7 @@ static void ssh_custom_free(struct git_credential *cred) if (c->publickey) { /* Zero the memory which previously held the publickey */ - size_t key_len = strlen(c->publickey); + size_t key_len = c->publickey_len; git__memzero(c->publickey, key_len); git__free(c->publickey); }