From c5ac15ad3327e3296b96fa92e4c6bc9e37c5dadf Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Tue, 18 Aug 2020 10:22:21 +0200
Subject: [PATCH] client: improve parsing of keygen arguments

Detect invalid syntax for the keygen command.
---
 client.c | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/client.c b/client.c
index 3d238d0..35ad83e 100644
--- a/client.c
+++ b/client.c
@@ -3167,18 +3167,27 @@ process_cmd_retries(const char *line)
 static int
 process_cmd_keygen(char *line)
 {
+  unsigned int i, args, cmac_length, length, id = 1, bits = 160;
   unsigned char key[512];
-  char type[17];
-  unsigned int i, cmac_length, length, id = 1, bits = 160;
+  const char *type;
+  char *words[3];
 
 #ifdef FEAT_SECHASH
-  snprintf(type, sizeof (type), "SHA1");
+  type = "SHA1";
 #else
-  snprintf(type, sizeof (type), "MD5");
+  type = "MD5";
 #endif
 
-  if (sscanf(line, "%u %16s %u", &id, type, &bits))
-    ;
+  args = UTI_SplitString(line, words, 3);
+  if (args >= 2)
+    type = words[1];
+
+  if (args > 3 ||
+      (args >= 1 && sscanf(words[0], "%u", &id) != 1) ||
+      (args >= 3 && sscanf(words[2], "%u", &bits) != 1)) {
+    LOG(LOGS_ERR, "Invalid syntax for keygen command");
+    return 0;
+  }
 
 #ifdef HAVE_CMAC
   cmac_length = CMC_GetKeyLength(UTI_CmacNameToAlgorithm(type));