Add safety checks for all ssh_string_fill calls

These calls can fail and the return code should always be checked. These issues were identified when code review called it out on new code. The updates here are to existing code with no behavior changes to make review simpler. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2026-02-12 11:10:28 +09:00 · 2020-12-10 14:01:32 +00:00
parent f6a2f6190c
commit daeee74edd
8 changed files with 97 additions and 30 deletions
--- a/src/curve25519.c
+++ b/src/curve25519.c
@@ -377,12 +377,12 @@ void ssh_server_curve25519_init(ssh_session session){
 */
 static SSH_PACKET_CALLBACK(ssh_packet_server_curve25519_init){
    /* ECDH keys */
-    ssh_string q_c_string;
-    ssh_string q_s_string;
+    ssh_string q_c_string = NULL;
+    ssh_string q_s_string = NULL;
    ssh_string server_pubkey_blob = NULL;

    /* SSH host keys (rsa,dsa,ecdsa) */
-    ssh_key privkey;
+    ssh_key privkey = NULL;
    enum ssh_digest_e digest = SSH_DIGEST_AUTO;
    ssh_string sig_blob = NULL;
    int rc;
@@ -402,7 +402,6 @@ static SSH_PACKET_CALLBACK(ssh_packet_server_curve25519_init){
                      SSH_FATAL,
                      "Incorrect size for server Curve25519 public key: %zu",
                      ssh_string_len(q_c_string));
-        SSH_STRING_FREE(q_c_string);
        goto error;
    }

@@ -460,12 +459,17 @@ static SSH_PACKET_CALLBACK(ssh_packet_server_curve25519_init){
    /* add ecdh public key */
    q_s_string = ssh_string_new(CURVE25519_PUBKEY_SIZE);
    if (q_s_string == NULL) {
+        ssh_set_error_oom(session);
        goto error;
    }

-    ssh_string_fill(q_s_string,
-                    session->next_crypto->curve25519_server_pubkey,
-                    CURVE25519_PUBKEY_SIZE);
+    rc = ssh_string_fill(q_s_string,
+                         session->next_crypto->curve25519_server_pubkey,
+                         CURVE25519_PUBKEY_SIZE);
+    if (rc < 0) {
+        ssh_set_error(session, SSH_FATAL, "Could not copy public key");
+        goto error;
+    }

    rc = ssh_buffer_add_ssh_string(session->out_buffer, q_s_string);
    SSH_STRING_FREE(q_s_string);
@@ -508,6 +512,8 @@ static SSH_PACKET_CALLBACK(ssh_packet_server_curve25519_init){

    return SSH_PACKET_USED;
 error:
+    SSH_STRING_FREE(q_c_string);
+    SSH_STRING_FREE(q_s_string);
    ssh_buffer_reinit(session->out_buffer);
    session->session_state=SSH_SESSION_STATE_ERROR;
    return SSH_PACKET_USED;