1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 09:12:24 +00:00

Fix use after free in ssh1login.

I was freeing the textual key fingerprint _before_ passing it to
seat_verify_ssh_host_key. Ahem.
This commit is contained in:
Simon Tatham 2018-12-30 13:16:28 +00:00
parent 1270d445e8
commit 869ce8867e

View File

@ -230,8 +230,8 @@ static void ssh1_login_process_queue(PacketProtocolLayer *ppl)
/* First check against manually configured host keys. */ /* First check against manually configured host keys. */
s->dlgret = verify_ssh_manual_host_key(s->conf, fingerprint, NULL); s->dlgret = verify_ssh_manual_host_key(s->conf, fingerprint, NULL);
sfree(fingerprint);
if (s->dlgret == 0) { /* did not match */ if (s->dlgret == 0) { /* did not match */
sfree(fingerprint);
sfree(keystr); sfree(keystr);
ssh_proto_error(s->ppl.ssh, "Host key did not appear in manually " ssh_proto_error(s->ppl.ssh, "Host key did not appear in manually "
"configured list"); "configured list");
@ -240,6 +240,7 @@ static void ssh1_login_process_queue(PacketProtocolLayer *ppl)
s->dlgret = seat_verify_ssh_host_key( s->dlgret = seat_verify_ssh_host_key(
s->ppl.seat, s->savedhost, s->savedport, s->ppl.seat, s->savedhost, s->savedport,
"rsa", keystr, fingerprint, ssh1_login_dialog_callback, s); "rsa", keystr, fingerprint, ssh1_login_dialog_callback, s);
sfree(fingerprint);
sfree(keystr); sfree(keystr);
#ifdef FUZZING #ifdef FUZZING
s->dlgret = 1; s->dlgret = 1;