buffers: Fix a possible null pointer dereference

This is an addition to CVE-2015-3146 to fix the null pointer dereference. The patch is not required to fix the CVE but prevents issues in future. Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> (cherry picked from commit 309102547208281215e6799336b42d355cdd7c5d)
author: Aris Adamantiadis <aris@0xbadc0de.be> 2015-04-15 16:25:29 +0200
committer: Andreas Schneider <asn@cryptomilk.org> 2015-04-23 10:34:13 +0200
commit: e9d16bd3439205ce7e75017405b1ac6ed5ead062 (patch)
tree: f8bdbfee31c013acdca71737f19698956839f3eb
parent: 94f6955fbaee6fda9385a23e505497efe21f5b4f (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/buffer.c b/src/buffer.c
index ca120868..3bb6ec43 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -188,6 +188,10 @@ int buffer_reinit(struct ssh_buffer_struct *buffer) {
 int buffer_add_data(struct ssh_buffer_struct *buffer, const void *data, uint32_t len) {
   buffer_verify(buffer);
 
+  if (data == NULL) {
+      return -1;
+  }
+
   if (buffer->used + len < len) {
     return -1;
   }
@@ -221,6 +225,10 @@ int buffer_add_ssh_string(struct ssh_buffer_struct *buffer,
     struct ssh_string_struct *string) {
   uint32_t len = 0;
 
+  if (string == NULL) {
+      return -1;
+  }
+
   len = ssh_string_len(string);
   if (buffer_add_data(buffer, string, len + sizeof(uint32_t)) < 0) {
     return -1;
author	Aris Adamantiadis <aris@0xbadc0de.be>	2015-04-15 16:25:29 +0200
committer	Andreas Schneider <asn@cryptomilk.org>	2015-04-23 10:34:13 +0200
commit	e9d16bd3439205ce7e75017405b1ac6ed5ead062 (patch)
tree	f8bdbfee31c013acdca71737f19698956839f3eb
parent	94f6955fbaee6fda9385a23e505497efe21f5b4f (diff)