diff options
| author | Jon Simons <jon@jonsimons.org> | 2014-10-18 23:23:26 -0700 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2014-12-17 19:45:23 +0100 |
| commit | 87ae95eb3c2f35d3e8e00eca43d0711ab2737ef5 (patch) | |
| tree | 30deb98d71ab265e0f361fa8d5dfc62105161d40 | |
| parent | 055f102601c201463d628d910c2f9dfe0e91d075 (diff) | |
| download | libssh-87ae95eb3c2f35d3e8e00eca43d0711ab2737ef5.tar.gz libssh-87ae95eb3c2f35d3e8e00eca43d0711ab2737ef5.tar.xz libssh-87ae95eb3c2f35d3e8e00eca43d0711ab2737ef5.zip | |
CVE-2014-8132: Fixup error path in ssh_packet_kexinit()
Before this change, dangling pointers can be unintentionally left in the
respective next_crypto kex methods slots. Ensure to set all slots to
NULL in the error-out path.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 2ced24ddd67a261dc364ad4d8958c068c1671ae7)
| -rw-r--r-- | src/kex.c | 7 |
1 files changed, 6 insertions, 1 deletions
@@ -315,7 +315,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){ for (i = 0; i < KEX_METHODS_SIZE; i++) { str = buffer_get_ssh_string(packet); if (str == NULL) { - break; + goto error; } if (buffer_add_ssh_string(session->in_hashbuf, str) < 0) { @@ -350,6 +350,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){ error: ssh_string_free(str); for (i = 0; i < SSH_KEX_METHODS; i++) { + if (server_kex) { + session->next_crypto->client_kex.methods[i] = NULL; + } else { /* client */ + session->next_crypto->server_kex.methods[i] = NULL; + } SAFE_FREE(strings[i]); } |