CVE-2020-16135: Add missing NULL check for ssh_buffer_new()

Add a missing NULL check for the pointer returned by ssh_buffer_new() in
sftpserver.c.

Thanks to Ramin Farajpour Cami for spotting this.

Fixes T232

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
(cherry picked from commit 533d881b0f)

src/sftpserver.c

@@ -64,6 +64,12 @@ sftp_client_message sftp_get_client_message(sftp_session sftp) {
 
   /* take a copy of the whole packet */
   msg->complete_message = ssh_buffer_new();
+  if (msg->complete_message == NULL) {
+      ssh_set_error_oom(session);
+      sftp_client_message_free(msg);
+      return NULL;
+  }
+
   ssh_buffer_add_data(msg->complete_message,
                       ssh_buffer_get(payload),
                       ssh_buffer_get_len(payload));