]> asedeno.scripts.mit.edu Git - PuTTY.git/commitdiff
projects / PuTTY.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f69b371)
Another ecdsa_newkey crash: initialise ec->privateKey earlier.
authorBen Harris <bjh21@bjh21.me.uk>
Fri, 9 Oct 2015 23:20:51 +0000 (00:20 +0100)
committerBen Harris <bjh21@bjh21.me.uk>
Wed, 28 Oct 2015 22:08:32 +0000 (22:08 +0000)
This one might be exploitable, since without the fix, ecdsa_freekey()
tries to wipe the bignum pointed to by an uninitialised pointer.

Bug found with the help of afl-fuzz.

sshecc.c patch | blob | history

diff --git a/sshecc.c b/sshecc.c
index 9f188df89b5cc27622cd73f1a031d098e292d18b..bc842d0b467fa5f667d3a2856f5a6096f25e9ff4 100644 (file)
--- a/sshecc.c
+++ b/sshecc.c
@@ -1782,11 +1782,11 @@ static void *ecdsa_newkey(const struct ssh_signkey *self,
     ec->publicKey.x = NULL;
     ec->publicKey.y = NULL;
     ec->publicKey.z = NULL;
+    ec->privateKey = NULL;
     if (!getmppoint(&data, &len, &ec->publicKey)) {
         ecdsa_freekey(ec);
         return NULL;
     }
-    ec->privateKey = NULL;
 
     if (!ec->publicKey.x || !ec->publicKey.y ||
         bignum_cmp(ec->publicKey.x, curve->p) >= 0 ||
local copy of git://git.tartarus.org/simon/putty.git