[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] kex: NULL checks for 'first_kex_packet_follows'

Subject: [PATCH] kex: NULL checks for 'first_kex_packet_follows'
From: Jon Simons <jon@xxxxxxxxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Tue, 22 Apr 2014 16:39:08 -0700
To: libssh@xxxxxxxxxx

Hi,

Attached is an addition to the 'first_kex_packet_follows' handling
to make sure that a 'strdup(NULL)' path can not be taken -- I did
not catch this in the original patch.

Based off of master @d6e6a453fc2b362174e9e0a8669574283b515245.


Thanks,
-Jon

From de3d44fbcb5ccfa26c02e8d722df1cb9ad3bad97 Mon Sep 17 00:00:00 2001
From: Jon Simons <jon@xxxxxxxxxxxxx>
Date: Tue, 22 Apr 2014 01:11:03 -0700
Subject: [PATCH] kex: NULL checks for 'first_kex_packet_follows'

Add NULL checks to 'is_first_kex_packet_follows_guess_wrong'
to ensure that a 'strdup(NULL)' path can not be taken.

Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
 src/kex.c | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/src/kex.c b/src/kex.c
index e90cb55..d17909d 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -286,7 +286,13 @@ static int is_first_kex_packet_follows_guess_wrong(const char *client_kex,
                                                    const char *server_kex) {
     int is_wrong = 1;
     char **server_kex_tokens = NULL;
-    char **client_kex_tokens = tokenize(client_kex);
+    char **client_kex_tokens = NULL;
+
+    if ((client_kex == NULL) || (server_kex == NULL)) {
+        goto out;
+    }
+
+    client_kex_tokens = tokenize(client_kex);
 
     if (client_kex_tokens == NULL) {
         goto out;
@@ -416,17 +422,17 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
         if (rc < 0) {
             goto error;
         }
-    }
 
-    /*
-     * Remember whether 'first_kex_packet_follows' was set and the client
-     * guess was wrong: in this case the next SSH_MSG_KEXDH_INIT message
-     * must be ignored.
-     */
-    if (server_kex && first_kex_packet_follows) {
-      session->first_kex_follows_guess_wrong =
-        is_first_kex_packet_follows_guess_wrong(session->next_crypto->client_kex.methods[SSH_KEX],
-                                                session->next_crypto->server_kex.methods[SSH_KEX]);
+        /*
+         * Remember whether 'first_kex_packet_follows' was set and the client
+         * guess was wrong: in this case the next SSH_MSG_KEXDH_INIT message
+         * must be ignored.
+         */
+        if (first_kex_packet_follows) {
+          session->first_kex_follows_guess_wrong =
+            is_first_kex_packet_follows_guess_wrong(session->next_crypto->client_kex.methods[SSH_KEX],
+                                                    session->next_crypto->server_kex.methods[SSH_KEX]);
+        }
     }
 
     session->session_state = SSH_SESSION_STATE_KEXINIT_RECEIVED;
-- 
1.8.4.21.g992c386

Archive administrator: postmaster@lists.cynapses.org