- djm@cvs.openbsd.org 2013/12/19 01:19:41

     [ssh-agent.c]
     bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent
     that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com;
     ok dtucker

2 files changed, 9 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index c22c8b4d..604bbbb7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -23,6 +23,11 @@
      them.
      
      Diagnosis and fix by ronf AT timeheart.net
+   - djm@cvs.openbsd.org 2013/12/19 01:19:41
+     [ssh-agent.c]
+     bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent
+     that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com;
+     ok dtucker
 
 20131221
  - (dtucker) [regress/keytype.sh] Actually test ecdsa key types.
diff --git a/ssh-agent.c b/ssh-agent.c
index 8210a8e3..95117e07 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.180 2013/12/06 13:39:49 markus Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.181 2013/12/19 01:19:41 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -660,6 +660,9 @@ process_remove_smartcard_key(SocketEntry *e)
 		tab = idtab_lookup(version);
 		for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
 			nxt = TAILQ_NEXT(id, next);
+			/* Skip file--based keys */
+			if (id->provider == NULL)
+				continue;
 			if (!strcmp(provider, id->provider)) {
 				TAILQ_REMOVE(&tab->idlist, id, next);
 				free_identity(id);