Add missing null-pointer checks in key exchange.

Assorted calls to ssh_pkt_getstring in handling the later parts of key exchange (post-KEXINIT) were not checked for NULL afterwards, so that a variety of badly formatted key exchange packets would cause a crash rather than a sensible error message. None of these is an exploitable vulnerability - the server can only force a clean null-deref crash, not an access to actually interesting memory. Thanks to '3unnym00n' for pointing out one of these, causing me to find all the rest of them too. (cherry picked from commit 1eb578a488) Conflicts: ssh.c Cherry-picker's notes: the main conflict arose because the original commit also made fixes to the ECDH branch of the big key exchange if statement, which doesn't exist on this branch. Also there was a minor and purely textual conflict, when an error check was added right next to a function call that had acquired an extra parameter on master.
2025-01-10 09:58:01 +00:00 · 2015-06-13 15:22:03 +01:00 · 2015-06-13 15:22:03 +01:00 · 26fe1e26c0
commit 26fe1e26c0
parent 445395c9d3
1 changed files with 20 additions and 1 deletions
--- a/ssh.c
+++ b/ssh.c
@ -6668,13 +6668,20 @@ static void do_ssh2_transport(Ssh ssh, void *vin, int inlen,
        }
        set_busy_status(ssh->frontend, BUSY_CPU); /* cogitate */
        ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
-        s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
+        if (!s->hostkeydata) {
+            bombout(("unable to parse key exchange reply packet"));
+            crStopV;
+        }
        s->f = ssh2_pkt_getmp(pktin);
        if (!s->f) {
            bombout(("unable to parse key exchange reply packet"));
            crStopV;
        }
        ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
+        if (!s->sigdata) {
+            bombout(("unable to parse key exchange reply packet"));
+            crStopV;
+        }

        {
            const char *err = dh_validate_f(ssh->kex_ctx, s->f);
@ -6723,6 +6730,10 @@ static void do_ssh2_transport(Ssh ssh, void *vin, int inlen,
        }

        ssh_pkt_getstring(pktin, &s->hostkeydata, &s->hostkeylen);
+        if (!s->hostkeydata) {
+            bombout(("unable to parse RSA public key packet"));
+            crStopV;
+        }
        hash_string(ssh->kex->hash, ssh->exhash,
 		    s->hostkeydata, s->hostkeylen);
 	s->hkey = ssh->hostkey->newkey(s->hostkeydata, s->hostkeylen);
@ -6730,6 +6741,10 @@ static void do_ssh2_transport(Ssh ssh, void *vin, int inlen,
        {
            char *keydata;
            ssh_pkt_getstring(pktin, &keydata, &s->rsakeylen);
+            if (!keydata) {
+                bombout(("unable to parse RSA public key packet"));
+                crStopV;
+            }
            s->rsakeydata = snewn(s->rsakeylen, char);
            memcpy(s->rsakeydata, keydata, s->rsakeylen);
        }
@ -6806,6 +6821,10 @@ static void do_ssh2_transport(Ssh ssh, void *vin, int inlen,
        }

        ssh_pkt_getstring(pktin, &s->sigdata, &s->siglen);
+        if (!s->sigdata) {
+            bombout(("unable to parse signature packet"));
+            crStopV;
+        }

        sfree(s->rsakeydata);
    }