45 lines
1.6 KiB
Diff
45 lines
1.6 KiB
Diff
From 53ac23ded4cb2c5463f6c4cd1525331bd578812d Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@cryptomilk.org>
|
|
Date: Wed, 6 Aug 2025 15:17:59 +0200
|
|
Subject: [PATCH] CVE-2025-8114: Fix NULL pointer dereference after allocation
|
|
failure
|
|
|
|
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
|
|
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
|
|
---
|
|
src/kex.c | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/src/kex.c b/src/kex.c
|
|
index f1c1b0147..02f2735fc 100644
|
|
--- a/src/kex.c
|
|
+++ b/src/kex.c
|
|
@@ -1569,6 +1569,8 @@ int ssh_make_sessionid(ssh_session session)
|
|
ssh_log_hexdump("hash buffer", ssh_buffer_get(buf), ssh_buffer_get_len(buf));
|
|
#endif
|
|
|
|
+ /* Set rc for the following switch statement in case we goto error. */
|
|
+ rc = SSH_ERROR;
|
|
switch (session->next_crypto->kex_type) {
|
|
case SSH_KEX_DH_GROUP1_SHA1:
|
|
case SSH_KEX_DH_GROUP14_SHA1:
|
|
@@ -1629,6 +1631,7 @@ int ssh_make_sessionid(ssh_session session)
|
|
session->next_crypto->secret_hash);
|
|
break;
|
|
}
|
|
+
|
|
/* During the first kex, secret hash and session ID are equal. However, after
|
|
* a key re-exchange, a new secret hash is calculated. This hash will not replace
|
|
* but complement existing session id.
|
|
@@ -1637,6 +1640,7 @@ int ssh_make_sessionid(ssh_session session)
|
|
session->next_crypto->session_id = malloc(session->next_crypto->digest_len);
|
|
if (session->next_crypto->session_id == NULL) {
|
|
ssh_set_error_oom(session);
|
|
+ rc = SSH_ERROR;
|
|
goto error;
|
|
}
|
|
memcpy(session->next_crypto->session_id, session->next_crypto->secret_hash,
|
|
--
|
|
GitLab
|
|
|