On Feb 6, 1:26pm, m...@netbsd.org (m...@netbsd.org) wrote:
-- Subject: Re: CVS commit: src/crypto/external/bsd/openssh/dist
| > + const BIGNUM *pub_key;
| > + if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0)
| > + goto out;
| > + DH_get0_key(kex->dh, &pub_key, NULL);
| > + if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_INIT)) != 0 ||
| > + (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 ||
| > + (r = sshpkt_send(ssh)) != 0) {
| > goto out;
| > + }
| > + }
| > debug("SSH2_MSG_KEX_DH_GEX_INIT sent");
| > #ifdef DEBUG_KEXDH
| > DHparams_print_fp(stderr, kex->dh);
| > @@ -134,10 +140,12 @@ input_kex_dh_gex_group(int type, u_int32
| > ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REPLY,
&input_kex_dh_gex_reply);
| > r = 0;
| > out:
| > - if (p)
| > + if (r != 0) {
| > BN_clear_free(p);
| > - if (g)
| > BN_clear_free(g);
| > + DH_free(kex->dh);
| > + kex->dh = NULL;
| > + }
| > return r;
|
| BN_clear_free will null deref on this error path I think
void BN_clear_free(BIGNUM *a)
{
int i;
if (a == NULL)
return;
christos
