From 8a3ea3bdd5181eb9e1c751d9c2961e73d716e140 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 26 Sep 2018 11:28:53 +0200
Subject: [PATCH] packet: Do not segfault if we don't have packet_second_block

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/packet.c | 54 +++++++++++++++++++++++++++++++---------------------
 1 file changed, 32 insertions(+), 22 deletions(-)

diff --git a/src/packet.c b/src/packet.c
index 36c037eb..de0cc0a8 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -1065,32 +1065,42 @@ int ssh_packet_socket_callback(const void *data, size_t receivedlen, void *user)
             if (cleartext_packet == NULL) {
                 goto error;
             }
-            if (session->current_crypto) {
-                /*
-                 * Decrypt the rest of the packet (lenfield_blocksize bytes already
-                 * have been decrypted)
-                 */
-                if (packet_remaining > 0) {
-                    rc = ssh_packet_decrypt(session,
-                                            cleartext_packet,
-                                            (uint8_t *)data,
-                                            lenfield_blocksize,
-                                            processed - lenfield_blocksize);
+
+            if (packet_second_block != NULL) {
+                if (session->current_crypto != NULL) {
+                    /*
+                     * Decrypt the rest of the packet (lenfield_blocksize bytes
+                     * already have been decrypted)
+                     */
+                    if (packet_remaining > 0) {
+                        rc = ssh_packet_decrypt(session,
+                                                cleartext_packet,
+                                                (uint8_t *)data,
+                                                lenfield_blocksize,
+                                                processed - lenfield_blocksize);
+                        if (rc < 0) {
+                            ssh_set_error(session,
+                                          SSH_FATAL,
+                                          "Decryption error");
+                            goto error;
+                        }
+                    }
+                    mac = packet_second_block + packet_remaining;
+
+                    rc = ssh_packet_hmac_verify(session,
+                                                session->in_buffer,
+                                                mac,
+                                                session->current_crypto->in_hmac);
                     if (rc < 0) {
-                        ssh_set_error(session, SSH_FATAL, "Decryption error");
+                        ssh_set_error(session, SSH_FATAL, "HMAC error");
                         goto error;
                     }
+                    processed += current_macsize;
+                } else {
+                    memcpy(cleartext_packet,
+                           packet_second_block,
+                           packet_remaining);
                 }
-                mac = packet_second_block + packet_remaining;
-
-                rc = ssh_packet_hmac_verify(session, session->in_buffer, mac, session->current_crypto->in_hmac);
-                if (rc < 0) {
-                    ssh_set_error(session, SSH_FATAL, "HMAC error");
-                    goto error;
-                }
-                processed += current_macsize;
-            } else {
-                memcpy(cleartext_packet, packet_second_block, packet_remaining);
             }
 
             /* skip the size field which has been processed before */