Add return value and error checking for hash buffer cookie functions.

git-svn-id: svn+ssh://svn.berlios.de/svnroot/repos/libssh/trunk@419 7dcaeef0-15fb-0310-b436-a5af3365683c
2026-02-04 12:20:42 +09:00 · 2009-04-07 18:46:29 +00:00
parent 323ee63a1d
commit 8c05aab03d
3 changed files with 53 additions and 16 deletions
--- a/include/libssh/priv.h
+++ b/include/libssh/priv.h
@@ -532,8 +532,8 @@ void dh_import_pubkey(SSH_SESSION *session,STRING *pubkey_string);
 void dh_build_k(SSH_SESSION *session);
 int make_sessionid(SSH_SESSION *session);
 /* add data for the final cookie */
-void hashbufin_add_cookie(SSH_SESSION *session,unsigned char *cookie);
-void hashbufout_add_cookie(SSH_SESSION *session);
+int hashbufin_add_cookie(SSH_SESSION *session, unsigned char *cookie);
+int hashbufout_add_cookie(SSH_SESSION *session);
 void generate_session_keys(SSH_SESSION *session);
 /* returns 1 if server signature ok, 0 otherwise. The NEXT crypto is checked, not the current one */
 int signature_verify(SSH_SESSION *session,STRING *signature);
--- a/libssh/dh.c
+++ b/libssh/dh.c
@@ -502,20 +502,50 @@ error:
  return rc;
 }

-void hashbufout_add_cookie(SSH_SESSION *session){
-    session->out_hashbuf=buffer_new();
-    buffer_add_u8(session->out_hashbuf,20);
-    if(session->server)
-        buffer_add_data(session->out_hashbuf,session->server_kex.cookie,16);
-    else
-        buffer_add_data(session->out_hashbuf,session->client_kex.cookie,16);
+int hashbufout_add_cookie(SSH_SESSION *session) {
+  session->out_hashbuf = buffer_new();
+  if (session->out_hashbuf == NULL) {
+    return -1;
+  }
+
+  if (buffer_add_u8(session->out_hashbuf, 20) < 0) {
+    buffer_free(session->out_hashbuf);
+    return -1;
+  }
+
+  if (session->server) {
+    if (buffer_add_data(session->out_hashbuf,
+          session->server_kex.cookie, 16) < 0) {
+      buffer_free(session->out_hashbuf);
+      return -1;
+    }
+  } else {
+    if (buffer_add_data(session->out_hashbuf,
+          session->client_kex.cookie, 16) < 0) {
+      buffer_free(session->out_hashbuf);
+      return -1;
+    }
+  }
+
+  return 0;
 }

+int hashbufin_add_cookie(SSH_SESSION *session, unsigned char *cookie) {
+  session->in_hashbuf = buffer_new();
+  if (session->in_hashbuf == NULL) {
+    return -1;
+  }

-void hashbufin_add_cookie(SSH_SESSION *session,unsigned char *cookie){
-    session->in_hashbuf=buffer_new();
-    buffer_add_u8(session->in_hashbuf,20);
-    buffer_add_data(session->in_hashbuf,cookie,16);
+  if (buffer_add_u8(session->in_hashbuf, 20) < 0) {
+    buffer_free(session->in_hashbuf);
+    return -1;
+  }
+  if (buffer_add_data(session->in_hashbuf,cookie, 16) < 0) {
+    buffer_free(session->in_hashbuf);
+    return -1;
+  }
+
+  return 0;
 }

 /* TODO FIXME add return value for memory checks */
--- a/libssh/kex.c
+++ b/libssh/kex.c
@@ -243,7 +243,11 @@ int ssh_get_kex(SSH_SESSION *session,int server_kex ){
        leave_function();
        return -1;
    }
-    hashbufin_add_cookie(session,session->server_kex.cookie);
+    if (hashbufin_add_cookie(session, session->server_kex.cookie) < 0) {
+        ssh_set_error(session, SSH_FATAL, "get_kex(): adding cookie failed");
+        leave_function();
+        return -1;
+    }
    memset(strings,0,sizeof(char *)*10);
    for(i=0;i<10;++i){
        str=buffer_get_ssh_string(session->in_buffer);
@@ -337,7 +341,8 @@ int set_kex(SSH_SESSION *session){
    return 0;
 }

-/* this function only sends the predefined set of kex methods */    
+/* this function only sends the predefined set of kex methods */
+/* TODO add return value! */
 void ssh_send_kex(SSH_SESSION *session, int server_kex){
    STRING *str;
    int i=0;
@@ -345,7 +350,9 @@ void ssh_send_kex(SSH_SESSION *session, int server_kex){
    enter_function();
    buffer_add_u8(session->out_buffer,SSH2_MSG_KEXINIT);
    buffer_add_data(session->out_buffer,kex->cookie,16);
-    hashbufout_add_cookie(session);
+    if (hashbufout_add_cookie(session) < 0) {
+      return;
+    }
    ssh_list_kex(session, kex);
    for(i=0;i<10;i++){
        str=string_from_char(kex->methods[i]);