upstream: memleak in error path; spotted by oss-fuzz, ok markus@
OpenBSD-Commit-ID: d6ed260cbbc297ab157ad63931802fb1ef7a4266
This commit is contained in:
djm@openbsd.org
Damien Miller
parent
9b9e3ca694
commit
d7d116b6d9
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: sshkey-xmss.c,v 1.6 2019/10/09 00:02:57 djm Exp $ */
|
/* $OpenBSD: sshkey-xmss.c,v 1.7 2019/10/14 06:00:02 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2017 Markus Friedl. All rights reserved.
|
* Copyright (c) 2017 Markus Friedl. All rights reserved.
|
||||||
*
|
*
|
||||||
|
|
@ -748,7 +748,7 @@ sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
|
||||||
u_int32_t i, lh, node;
|
u_int32_t i, lh, node;
|
||||||
size_t ls, lsl, la, lk, ln, lr;
|
size_t ls, lsl, la, lk, ln, lr;
|
||||||
char *magic;
|
char *magic;
|
||||||
int r;
|
int r = SSH_ERR_INTERNAL_ERROR;
|
||||||
|
|
||||||
if (state == NULL)
|
if (state == NULL)
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
|
@ -767,9 +767,11 @@ sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
|
||||||
(r = sshbuf_get_string(b, &state->th_nodes, &ln)) != 0 ||
|
(r = sshbuf_get_string(b, &state->th_nodes, &ln)) != 0 ||
|
||||||
(r = sshbuf_get_string(b, &state->retain, &lr)) != 0 ||
|
(r = sshbuf_get_string(b, &state->retain, &lr)) != 0 ||
|
||||||
(r = sshbuf_get_u32(b, &lh)) != 0)
|
(r = sshbuf_get_u32(b, &lh)) != 0)
|
||||||
return r;
|
goto out;
|
||||||
if (strcmp(magic, SSH_XMSS_K2_MAGIC) != 0)
|
if (strcmp(magic, SSH_XMSS_K2_MAGIC) != 0) {
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
/* XXX check stackoffset */
|
/* XXX check stackoffset */
|
||||||
if (ls != num_stack(state) ||
|
if (ls != num_stack(state) ||
|
||||||
lsl != num_stacklevels(state) ||
|
lsl != num_stacklevels(state) ||
|
||||||
|
|
@ -777,8 +779,10 @@ sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
|
||||||
lk != num_keep(state) ||
|
lk != num_keep(state) ||
|
||||||
ln != num_th_nodes(state) ||
|
ln != num_th_nodes(state) ||
|
||||||
lr != num_retain(state) ||
|
lr != num_retain(state) ||
|
||||||
lh != num_treehash(state))
|
lh != num_treehash(state)) {
|
||||||
return SSH_ERR_INVALID_ARGUMENT;
|
r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
for (i = 0; i < num_treehash(state); i++) {
|
for (i = 0; i < num_treehash(state); i++) {
|
||||||
th = &state->treehash[i];
|
th = &state->treehash[i];
|
||||||
if ((r = sshbuf_get_u32(b, &th->h)) != 0 ||
|
if ((r = sshbuf_get_u32(b, &th->h)) != 0 ||
|
||||||
|
|
@ -786,7 +790,7 @@ sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
|
||||||
(r = sshbuf_get_u32(b, &th->stackusage)) != 0 ||
|
(r = sshbuf_get_u32(b, &th->stackusage)) != 0 ||
|
||||||
(r = sshbuf_get_u8(b, &th->completed)) != 0 ||
|
(r = sshbuf_get_u8(b, &th->completed)) != 0 ||
|
||||||
(r = sshbuf_get_u32(b, &node)) != 0)
|
(r = sshbuf_get_u32(b, &node)) != 0)
|
||||||
return r;
|
goto out;
|
||||||
if (node < num_th_nodes(state))
|
if (node < num_th_nodes(state))
|
||||||
th->node = &state->th_nodes[node];
|
th->node = &state->th_nodes[node];
|
||||||
}
|
}
|
||||||
|
|
@ -794,7 +798,11 @@ sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
|
||||||
xmss_set_bds_state(&state->bds, state->stack, state->stackoffset,
|
xmss_set_bds_state(&state->bds, state->stack, state->stackoffset,
|
||||||
state->stacklevels, state->auth, state->keep, state->treehash,
|
state->stacklevels, state->auth, state->keep, state->treehash,
|
||||||
state->retain, 0);
|
state->retain, 0);
|
||||||
return 0;
|
/* success */
|
||||||
|
r = 0;
|
||||||
|
out:
|
||||||
|
free(magic);
|
||||||
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue