Re: CVS commit: src/crypto/external/bsd/openssh/dist

To: Christos Zoulas <christos%netbsd.org@localhost>
Subject: Re: CVS commit: src/crypto/external/bsd/openssh/dist
From: maya%netbsd.org@localhost
Date: Tue, 6 Feb 2018 13:26:41 +0000

> +	const BIGNUM *pub_key;
> +	if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
> +		goto out;
> +	DH_get0_key(kex->dh, &pub_key, NULL);
> +	if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_INIT)) != 0 ||
> +	    (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 ||
> +	    (r = sshpkt_send(ssh)) != 0) {
>  		goto out;
> +	}
> +	}
>  	debug("SSH2_MSG_KEX_DH_GEX_INIT sent");
>  #ifdef DEBUG_KEXDH
>  	DHparams_print_fp(stderr, kex->dh);
> @@ -134,10 +140,12 @@ input_kex_dh_gex_group(int type, u_int32
>  	ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REPLY, &input_kex_dh_gex_reply);
>  	r = 0;
>  out:
> -	if (p)
> +	if (r != 0) {
>  		BN_clear_free(p);
> -	if (g)
>  		BN_clear_free(g);
> +		DH_free(kex->dh);
> +		kex->dh = NULL;
> +	}
>  	return r;

BN_clear_free will null deref on this error path I think

Follow-Ups:
- Re: CVS commit: src/crypto/external/bsd/openssh/dist
  - From: Christos Zoulas
- Re: CVS commit: src/crypto/external/bsd/openssh/dist
  - From: maya

Prev by Date: Re: CVS commit: src/crypto/external/bsd/openssh/dist
Next by Date: Re: CVS commit: src/crypto/external/bsd/openssh/dist
Previous by Thread: Re: CVS commit: src/crypto/external/bsd/openssh/dist
Next by Thread: Re: CVS commit: src/crypto/external/bsd/openssh/dist
Indexes:

Home | Main Index | Thread Index | Old Index