From c6d7ffda68ee9ec82c4235efa5c6559889ba6d86 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Mon, 29 Aug 2022 13:43:07 +0100
Subject: [PATCH] Fix crash in GSSAPI key exchange.

Introduced recently by commit 42740a54550476e, in which I decided to
call ssh_key_cache_str() even on certified host keys. But that call
was conditional on s->hkey being non-NULL (which happens in GSS KEX)
as well as on it not being certified, and I managed to absentmindedly
remove _both_ conditions. As a result we got a null-pointer
dereference on any GSS kex.
---
 ssh/kex2-client.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssh/kex2-client.c b/ssh/kex2-client.c
index 5935ef29..a437d92e 100644
--- a/ssh/kex2-client.c
+++ b/ssh/kex2-client.c
@@ -718,7 +718,7 @@ void ssh2kex_coroutine(struct ssh2_transport_state *s, bool *aborted)
         }
     }
 
-    s->keystr = ssh_key_cache_str(s->hkey);
+    s->keystr = s->hkey ? ssh_key_cache_str(s->hkey) : NULL;
 #ifndef NO_GSSAPI
     if (s->gss_kex_used) {
         /*