RepoMirrors
/
openssh
mirror of git://anongit.mindrot.org/openssh.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: fix leak: was double allocating kex->session_id buffer 

OpenBSD-Commit-ID: 3765f4cc3ae1df874dba9102a3588ba7b48b8183
This commit is contained in:
djm@openbsd.org 2021-01-27 23:49:46 +00:00 committed by Damien Miller
parent 1134a48cdc
commit d983e1732b
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
kex.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kex.c,v 1.165 2021/01/27 10:05:28 djm Exp $ */ /* $OpenBSD: kex.c,v 1.166 2021/01/27 23:49:46 djm Exp $ */
/* /*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* *
@ -1068,13 +1068,15 @@ kex_derive_keys(struct ssh *ssh, u_char *hash, u_int hashlen,
/* save initial hash as session id */ /* save initial hash as session id */
if ((kex->flags & KEX_INITIAL) != 0) { if ((kex->flags & KEX_INITIAL) != 0) {
if ((kex->session_id = sshbuf_new()) == NULL) if (sshbuf_len(kex->session_id) != 0) {
return SSH_ERR_ALLOC_FAIL; error_f("already have session ID at kex");
return SSH_ERR_INTERNAL_ERROR;
}
if ((r = sshbuf_put(kex->session_id, hash, hashlen)) != 0) if ((r = sshbuf_put(kex->session_id, hash, hashlen)) != 0)
return r; return r;
} else if (sshbuf_len(kex->session_id) == 0) { } else if (sshbuf_len(kex->session_id) == 0) {
error_f("no session ID in rekex"); error_f("no session ID in rekex");
return SSH_ERR_INTERNAL_ERROR; return SSH_ERR_INTERNAL_ERROR;
} }
for (i = 0; i < NKEYS; i++) { for (i = 0; i < NKEYS; i++) {
if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen, if ((r = derive_key(ssh, 'A'+i, kex->we_need, hash, hashlen,