Fix segfault if the server maliciously sends the wrong type of key

after a different type has been agreed.

[originally from svn r1165]

diff --git a/ssh.c b/ssh.c
index e2c2d73726fcbbcb459c8dba94a462c774a1e9b1..a41e3bf485244f45a7154d3422436b23416079b0 100644 (file)
--- a/ssh.c
+++ b/ssh.c
@@ -2955,8 +2955,9 @@ static int do_ssh2_transport(unsigned char *in, int inlen, int ispkt)
 #endif
 
     hkey = hostkey->newkey(hostkeydata, hostkeylen);
 #endif
 
     hkey = hostkey->newkey(hostkeydata, hostkeylen);

-    if (!hostkey->verifysig(hkey, sigdata, siglen, exchange_hash, 20)) {
-       bombout(("Server failed host key check"));
+    if (!hkey ||
+       !hostkey->verifysig(hkey, sigdata, siglen, exchange_hash, 20)) {
+       bombout(("Server's host key did not match the signature supplied"));

        crReturn(0);
     }
 
        crReturn(0);
     }