summaryrefslogtreecommitdiff
path: root/sshkey-xmss.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2019-10-14 06:00:02 +0000
committerDamien Miller <djm@mindrot.org>2019-10-14 17:03:54 +1100
commitd7d116b6d9e6cb79cc235e9801caa683d3db3181 (patch)
tree653f5ba285930d2ba622db7d613d590fed2f3e64 /sshkey-xmss.c
parent9b9e3ca6945351eefb821ff783a4a8e6d9b98b9a (diff)
upstream: memleak in error path; spotted by oss-fuzz, ok markus@
OpenBSD-Commit-ID: d6ed260cbbc297ab157ad63931802fb1ef7a4266
Diffstat (limited to 'sshkey-xmss.c')
-rw-r--r--sshkey-xmss.c26
1 files changed, 17 insertions, 9 deletions
diff --git a/sshkey-xmss.c b/sshkey-xmss.c
index 9e5f5e475..e8e2e3816 100644
--- a/sshkey-xmss.c
+++ b/sshkey-xmss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshkey-xmss.c,v 1.6 2019/10/09 00:02:57 djm Exp $ */ 1/* $OpenBSD: sshkey-xmss.c,v 1.7 2019/10/14 06:00:02 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2017 Markus Friedl. All rights reserved. 3 * Copyright (c) 2017 Markus Friedl. All rights reserved.
4 * 4 *
@@ -748,7 +748,7 @@ sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
748 u_int32_t i, lh, node; 748 u_int32_t i, lh, node;
749 size_t ls, lsl, la, lk, ln, lr; 749 size_t ls, lsl, la, lk, ln, lr;
750 char *magic; 750 char *magic;
751 int r; 751 int r = SSH_ERR_INTERNAL_ERROR;
752 752
753 if (state == NULL) 753 if (state == NULL)
754 return SSH_ERR_INVALID_ARGUMENT; 754 return SSH_ERR_INVALID_ARGUMENT;
@@ -767,9 +767,11 @@ sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
767 (r = sshbuf_get_string(b, &state->th_nodes, &ln)) != 0 || 767 (r = sshbuf_get_string(b, &state->th_nodes, &ln)) != 0 ||
768 (r = sshbuf_get_string(b, &state->retain, &lr)) != 0 || 768 (r = sshbuf_get_string(b, &state->retain, &lr)) != 0 ||
769 (r = sshbuf_get_u32(b, &lh)) != 0) 769 (r = sshbuf_get_u32(b, &lh)) != 0)
770 return r; 770 goto out;
771 if (strcmp(magic, SSH_XMSS_K2_MAGIC) != 0) 771 if (strcmp(magic, SSH_XMSS_K2_MAGIC) != 0) {
772 return SSH_ERR_INVALID_ARGUMENT; 772 r = SSH_ERR_INVALID_ARGUMENT;
773 goto out;
774 }
773 /* XXX check stackoffset */ 775 /* XXX check stackoffset */
774 if (ls != num_stack(state) || 776 if (ls != num_stack(state) ||
775 lsl != num_stacklevels(state) || 777 lsl != num_stacklevels(state) ||
@@ -777,8 +779,10 @@ sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
777 lk != num_keep(state) || 779 lk != num_keep(state) ||
778 ln != num_th_nodes(state) || 780 ln != num_th_nodes(state) ||
779 lr != num_retain(state) || 781 lr != num_retain(state) ||
780 lh != num_treehash(state)) 782 lh != num_treehash(state)) {
781 return SSH_ERR_INVALID_ARGUMENT; 783 r = SSH_ERR_INVALID_ARGUMENT;
784 goto out;
785 }
782 for (i = 0; i < num_treehash(state); i++) { 786 for (i = 0; i < num_treehash(state); i++) {
783 th = &state->treehash[i]; 787 th = &state->treehash[i];
784 if ((r = sshbuf_get_u32(b, &th->h)) != 0 || 788 if ((r = sshbuf_get_u32(b, &th->h)) != 0 ||
@@ -786,7 +790,7 @@ sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
786 (r = sshbuf_get_u32(b, &th->stackusage)) != 0 || 790 (r = sshbuf_get_u32(b, &th->stackusage)) != 0 ||
787 (r = sshbuf_get_u8(b, &th->completed)) != 0 || 791 (r = sshbuf_get_u8(b, &th->completed)) != 0 ||
788 (r = sshbuf_get_u32(b, &node)) != 0) 792 (r = sshbuf_get_u32(b, &node)) != 0)
789 return r; 793 goto out;
790 if (node < num_th_nodes(state)) 794 if (node < num_th_nodes(state))
791 th->node = &state->th_nodes[node]; 795 th->node = &state->th_nodes[node];
792 } 796 }
@@ -794,7 +798,11 @@ sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
794 xmss_set_bds_state(&state->bds, state->stack, state->stackoffset, 798 xmss_set_bds_state(&state->bds, state->stack, state->stackoffset,
795 state->stacklevels, state->auth, state->keep, state->treehash, 799 state->stacklevels, state->auth, state->keep, state->treehash,
796 state->retain, 0); 800 state->retain, 0);
797 return 0; 801 /* success */
802 r = 0;
803 out:
804 free(magic);
805 return r;
798} 806}
799 807
800int 808int