asedeno.scripts.mit.edu Git - PuTTY.git/commit

author	Simon Tatham <anakin@pobox.com>
	Sat, 13 Jun 2015 14:22:03 +0000 (15:22 +0100)
committer	Simon Tatham <anakin@pobox.com>
	Sat, 20 Jun 2015 11:47:43 +0000 (12:47 +0100)
commit	26fe1e26c0f7ab42440332882295667d4a0ac500
tree	55f3c7db0b3d045d76bac2bd058bea637f79959b	tree \| snapshot
parent	445395c9d31dd49424cd5a01f8aa3f75a69cfe67	commit \| diff

Add missing null-pointer checks in key exchange.

Assorted calls to ssh_pkt_getstring in handling the later parts of key
exchange (post-KEXINIT) were not checked for NULL afterwards, so that
a variety of badly formatted key exchange packets would cause a crash
rather than a sensible error message.

None of these is an exploitable vulnerability - the server can only
force a clean null-deref crash, not an access to actually interesting
memory.

Thanks to '3unnym00n' for pointing out one of these, causing me to
find all the rest of them too.

(cherry picked from commit 1eb578a488a71284d6b18e46df301e54805f2c35)

Conflicts:
ssh.c

Cherry-picker's notes: the main conflict arose because the original
commit also made fixes to the ECDH branch of the big key exchange if
statement, which doesn't exist on this branch. Also there was a minor
and purely textual conflict, when an error check was added right next
to a function call that had acquired an extra parameter on master.