aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <asn@cryptomilk.org>2012-10-05 15:07:17 +0200
committerAndreas Schneider <asn@cryptomilk.org>2012-11-14 17:11:03 +0100
commitd63f19c3000f8bc699ba99814bec9d7ddf6a5b20 (patch)
treef3affb5cae680130e7e7ab4cf0572e1039788136
parent455da60846d68c508f7fed5b381097b364647425 (diff)
downloadlibssh-d63f19c3000f8bc699ba99814bec9d7ddf6a5b20.tar.gz
libssh-d63f19c3000f8bc699ba99814bec9d7ddf6a5b20.tar.xz
libssh-d63f19c3000f8bc699ba99814bec9d7ddf6a5b20.zip
CVE-2012-4561: Fix possible free's on invalid pointers.
-rw-r--r--src/keys.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/keys.c b/src/keys.c
index de6b8f2d..9ae25a34 100644
--- a/src/keys.c
+++ b/src/keys.c
@@ -88,6 +88,7 @@ ssh_public_key publickey_make_dss(ssh_session session, ssh_buffer buffer) {
ssh_buffer_free(buffer);
return NULL;
}
+ ZERO_STRUCTP(key);
key->type = SSH_KEYTYPE_DSS;
key->type_c = ssh_type_to_char(key->type);
@@ -173,6 +174,7 @@ ssh_public_key publickey_make_rsa(ssh_session session, ssh_buffer buffer,
ssh_buffer_free(buffer);
return NULL;
}
+ ZERO_STRUCTP(key);
key->type = type;
key->type_c = ssh_type_to_char(key->type);
@@ -897,6 +899,7 @@ SIGNATURE *signature_from_string(ssh_session session, ssh_string signature,
ssh_set_error(session, SSH_FATAL, "Not enough space");
return NULL;
}
+ ZERO_STRUCTP(sign);
tmpbuf = ssh_buffer_new();
if (tmpbuf == NULL) {
@@ -1280,6 +1283,7 @@ ssh_string ssh_do_sign(ssh_session session, ssh_buffer sigbuf,
if (sign == NULL) {
return NULL;
}
+ ZERO_STRUCTP(sign);
switch(privatekey->type) {
case SSH_KEYTYPE_DSS:
@@ -1436,6 +1440,7 @@ ssh_string ssh_sign_session_id(ssh_session session, ssh_private_key privatekey)
if (sign == NULL) {
return NULL;
}
+ ZERO_STRUCTP(sign);
switch(privatekey->type) {
case SSH_KEYTYPE_DSS: