diff options
author | Jon Simons <jon@jonsimons.org> | 2014-10-18 23:23:26 -0700 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2014-12-17 19:45:09 +0100 |
commit | c2aed4ca78030d9014a890cb4370e6dc8264823f (patch) | |
tree | db9289f97886a63202e3081470f26c6dd3b56611 /src/kex.c | |
parent | b7b535816d5fa49b0d1783f4cb42086f4169b1da (diff) | |
download | libssh-c2aed4ca78030d9014a890cb4370e6dc8264823f.tar.gz libssh-c2aed4ca78030d9014a890cb4370e6dc8264823f.tar.xz libssh-c2aed4ca78030d9014a890cb4370e6dc8264823f.zip |
CVE-2014-8132: Fixup error path in ssh_packet_kexinit()
Before this change, dangling pointers can be unintentionally left in the
respective next_crypto kex methods slots. Ensure to set all slots to
NULL in the error-out path.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src/kex.c')
-rw-r--r-- | src/kex.c | 7 |
1 files changed, 6 insertions, 1 deletions
@@ -368,7 +368,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){ for (i = 0; i < KEX_METHODS_SIZE; i++) { str = buffer_get_ssh_string(packet); if (str == NULL) { - break; + goto error; } rc = buffer_add_ssh_string(session->in_hashbuf, str); @@ -443,6 +443,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){ error: ssh_string_free(str); for (i = 0; i < SSH_KEX_METHODS; i++) { + if (server_kex) { + session->next_crypto->client_kex.methods[i] = NULL; + } else { /* client */ + session->next_crypto->server_kex.methods[i] = NULL; + } SAFE_FREE(strings[i]); } |