From 01f404021823a067e3681eb2bccaaa5b72a67e01 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Fri, 7 Jun 2019 19:08:53 +0200
Subject: dh: Avoid segmentation fault in GEX if fallback to known moduli

Make ssh_fallback_group() to duplicate the modulus and generator.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/dh.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/dh.c b/src/dh.c
index 10830441..6c698139 100644
--- a/src/dh.c
+++ b/src/dh.c
@@ -571,13 +571,21 @@ int ssh_fallback_group(uint32_t pmax,
     *generator = NULL;
 
     if (pmax < 3072) {
-        *modulus = ssh_dh_group14;
+        bignum_dup(ssh_dh_group14, modulus);
     } else if (pmax < 6144) {
-        *modulus = ssh_dh_group16;
+        bignum_dup(ssh_dh_group16, modulus);
     } else {
-        *modulus = ssh_dh_group18;
+        bignum_dup(ssh_dh_group18, modulus);
+    }
+    if (*modulus == NULL) {
+        return SSH_ERROR;
+    }
+
+    bignum_dup(ssh_dh_generator, generator);
+    if (*generator == NULL) {
+        bignum_safe_free((*modulus));
+        return SSH_ERROR;
     }
-    *generator = ssh_dh_generator;
 
     return SSH_OK;
 }
-- 
cgit v1.2.3