From 79e9eb53d44d777f2aa094e643cc3ae796e7d4f4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <mail@cynapses.org>
Date: Wed, 1 Apr 2009 10:49:27 +0000
Subject: Add memory error checking to key exchange functions.

git-svn-id: svn+ssh://svn.berlios.de/svnroot/repos/libssh/trunk@317 7dcaeef0-15fb-0310-b436-a5af3365683c
---
 libssh/kex.c      | 69 +++++++++++++++++++++++++++++++++++++++++++++----------
 libssh/keyfiles.c |  8 +++++++
 2 files changed, 65 insertions(+), 12 deletions(-)

diff --git a/libssh/kex.c b/libssh/kex.c
index cf55f7ea..5f76f47c 100644
--- a/libssh/kex.c
+++ b/libssh/kex.c
@@ -73,8 +73,14 @@ static char **tokenize(const char *chain){
     char **tokens;
     int n=1;
     int i=0;
-    char *tmp = strdup(chain);
-    char *ptr = tmp;
+    char *tmp;
+    char *ptr;
+
+    tmp = strdup(chain);
+    if (tmp == NULL) {
+      return NULL;
+    }
+    ptr = tmp;
     while(*ptr){
         if(*ptr==','){
             n++;
@@ -84,6 +90,10 @@ static char **tokenize(const char *chain){
     }
     /* now n contains the number of tokens, the first possibly empty if the list was empty too e.g. "" */
     tokens=malloc(sizeof(char *) * (n+1) ); /* +1 for the null */
+    if (tokens == NULL) {
+      SAFE_FREE(tmp);
+      return NULL;
+    }
     ptr=tmp;
     for(i=0;i<n;i++){
         tokens[i]=ptr;
@@ -100,8 +110,15 @@ char **space_tokenize(const char *chain){
     char **tokens;
     int n=1;
     int i=0;
-    char *tmp = strdup(chain);
-    char *ptr = tmp;
+    char *tmp;
+    char *ptr;
+
+    tmp = strdup(chain);
+    if (tmp == NULL) {
+      return NULL;
+    }
+    ptr = tmp;
+
     while(*ptr==' ')
         ++ptr; /* skip initial spaces */
     while(*ptr){
@@ -115,7 +132,11 @@ char **space_tokenize(const char *chain){
         ptr++;
     }
     /* now n contains the number of tokens, the first possibly empty if the list was empty too e.g. "" */
-    tokens=malloc(sizeof(char *) * (n+1) ); /* +1 for the null */
+    tokens = malloc(sizeof(char *) * (n + 1)); /* +1 for the null */
+    if (tokens == NULL) {
+      SAFE_FREE(tmp);
+      return NULL;
+    }
     ptr=tmp; /* we don't pass the initial spaces because the "tmp" pointer is needed by the caller */
                     /* function to free the tokens. */
     for(i=0;i<n;i++){
@@ -140,11 +161,22 @@ char *ssh_find_matching(const char *in_d, const char *what_d){
     char ** tok_in, **tok_what;
     int i_in, i_what;
     char *ret;
-    
-    if( ! (in_d && what_d))
-        return NULL; /* don't deal with null args */
-    tok_in=tokenize(in_d);
-    tok_what=tokenize(what_d);
+
+    if ((in_d == NULL) || (what_d == NULL)) {
+      return NULL; /* don't deal with null args */
+    }
+
+    tok_in = tokenize(in_d);
+    if (tok_in == NULL) {
+      return NULL;
+    }
+
+    tok_what = tokenize(what_d);
+    if (tok_what == NULL) {
+      SAFE_FREE(tok_in[0]);
+      SAFE_FREE(tok_in);
+    }
+
     for(i_in=0; tok_in[i_in]; ++i_in){
         for(i_what=0; tok_what[i_what] ; ++i_what){
             if(!strcmp(tok_in[i_in],tok_what[i_what])){
@@ -195,11 +227,19 @@ int ssh_get_kex(SSH_SESSION *session,int server_kex ){
     }
     /* copy the server kex info into an array of strings */
     if(server_kex){
-        session->client_kex.methods=malloc( 10 * sizeof(char **));
+        session->client_kex.methods = malloc(10 * sizeof(char **));
+        if (session->client_kex.methods == NULL) {
+          leave_function();
+          return -1;
+        }
         for(i=0;i<10;++i)
             session->client_kex.methods[i]=strings[i];
     } else { // client     
-        session->server_kex.methods=malloc( 10 * sizeof(char **));
+        session->server_kex.methods = malloc(10 * sizeof(char **));
+        if (session->server_kex.methods == NULL) {
+          leave_function();
+          return -1;
+        }
         for(i=0;i<10;++i)
             session->server_kex.methods[i]=strings[i];
     }
@@ -237,6 +277,11 @@ int set_kex(SSH_SESSION *session){
     else
         ssh_get_random(client->cookie,16,0);
     client->methods=malloc(10 * sizeof(char **));
+    if (client->methods == NULL) {
+      ssh_set_error(session, SSH_FATAL, "No space left");
+      leave_function();
+      return -1;
+    }
     memset(client->methods,0,10*sizeof(char **));
     for (i=0;i<10;i++){
         if(!(wanted=options->wanted_methods[i]))
diff --git a/libssh/keyfiles.c b/libssh/keyfiles.c
index a4cec4e6..c45d9abd 100644
--- a/libssh/keyfiles.c
+++ b/libssh/keyfiles.c
@@ -848,6 +848,12 @@ static char **ssh_get_knownhost_line(SSH_SESSION *session,FILE **file, char *fil
         if(!buffer[0] || buffer[0]=='#')
             continue; /* skip empty lines */
         tokens=space_tokenize(buffer);
+        if (tokens == NULL) {
+          fclose(*file);
+          *file = NULL;
+          leave_function();
+          return NULL;
+        }
         if(!tokens[0] || !tokens[1] || !tokens[2]){
             /* it should have at least 3 tokens */
             tokens_free(tokens);
@@ -870,6 +876,8 @@ static char **ssh_get_knownhost_line(SSH_SESSION *session,FILE **file, char *fil
                continue;
            }
         }
+        fclose(*file);
+        *file = NULL;
         leave_function();
         return tokens;
     }
-- 
cgit