Skip to content

gcr-ssh-agent-service: fix check off-by-one causing crash on FIDO2 requests when compiled with clang

The GCR_SSH_OP_MAX isn't actually the highest allowed op but one higher, i.e. the array length; so the check was wrong. Reading past the end of the array is UB, so clang took advantage of that and optimized everything away and the result was happily calling NULL. As luck would have it, exactly 27 is an op used by the FIDO2 security key support (actually seems to mean using a protocol extension).

A null pointer dereference is also UB, so initially I thought it was the second check causing trouble, but no, it seems to mostly be the first…

Edited by Val Packett

Merge request reports