upstream: memleak in error path; spotted by oss-fuzz, ok markus@

OpenBSD-Commit-ID: d6ed260cbbc297ab157ad63931802fb1ef7a4266
author: djm@openbsd.org <djm@openbsd.org> 2019-10-14 06:00:02 +0000
committer: Damien Miller <djm@mindrot.org> 2019-10-14 17:03:54 +1100
commit: d7d116b6d9e6cb79cc235e9801caa683d3db3181 (patch)
tree: 653f5ba285930d2ba622db7d613d590fed2f3e64 /sshkey-xmss.c
parent: 9b9e3ca6945351eefb821ff783a4a8e6d9b98b9a (diff)
1 files changed, 17 insertions, 9 deletions
diff --git a/sshkey-xmss.c b/sshkey-xmss.c
index 9e5f5e475..e8e2e3816 100644
--- a/sshkey-xmss.c
+++ b/sshkey-xmss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey-xmss.c,v 1.6 2019/10/09 00:02:57 djm Exp $ */
+/* $OpenBSD: sshkey-xmss.c,v 1.7 2019/10/14 06:00:02 djm Exp $ */
 /*
 * Copyright (c) 2017 Markus Friedl.  All rights reserved.
 *
@@ -748,7 +748,7 @@ sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
        u_int32_t i, lh, node;
        size_t ls, lsl, la, lk, ln, lr;
        char *magic;
-        int r;
+        int r = SSH_ERR_INTERNAL_ERROR;
        if (state == NULL)
                return SSH_ERR_INVALID_ARGUMENT;
@@ -767,9 +767,11 @@ sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
            (r = sshbuf_get_string(b, &state->th_nodes, &ln)) != 0 ||
            (r = sshbuf_get_string(b, &state->retain, &lr)) != 0 ||
            (r = sshbuf_get_u32(b, &lh)) != 0)
-                return r;
+                goto out;
-        if (strcmp(magic, SSH_XMSS_K2_MAGIC) != 0)
+        if (strcmp(magic, SSH_XMSS_K2_MAGIC) != 0) {
-                return SSH_ERR_INVALID_ARGUMENT;
+                r = SSH_ERR_INVALID_ARGUMENT;
+                goto out;
+        }
        /* XXX check stackoffset */
        if (ls != num_stack(state) ||
            lsl != num_stacklevels(state) ||
@@ -777,8 +779,10 @@ sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
            lk != num_keep(state) ||
            ln != num_th_nodes(state) ||
            lr != num_retain(state) ||
-            lh != num_treehash(state))
+            lh != num_treehash(state)) {
-                return SSH_ERR_INVALID_ARGUMENT;
+                r = SSH_ERR_INVALID_ARGUMENT;
+                goto out;
+        }
        for (i = 0; i < num_treehash(state); i++) {
                th = &state->treehash[i];
                if ((r = sshbuf_get_u32(b, &th->h)) != 0 ||
@@ -786,7 +790,7 @@ sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
                    (r = sshbuf_get_u32(b, &th->stackusage)) != 0 ||
                    (r = sshbuf_get_u8(b, &th->completed)) != 0 ||
                    (r = sshbuf_get_u32(b, &node)) != 0)
-                        return r;
+                        goto out;
                if (node < num_th_nodes(state))
                        th->node = &state->th_nodes[node];
        }
@@ -794,7 +798,11 @@ sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
        xmss_set_bds_state(&state->bds, state->stack, state->stackoffset,
            state->stacklevels, state->auth, state->keep, state->treehash,
            state->retain, 0);
-        return 0;
+        /* success */
+        r = 0;
+ out:
+        free(magic);
+        return r;
 }
 int
author	djm@openbsd.org <djm@openbsd.org>	2019-10-14 06:00:02 +0000
committer	Damien Miller <djm@mindrot.org>	2019-10-14 17:03:54 +1100
commit	d7d116b6d9e6cb79cc235e9801caa683d3db3181 (patch)
tree	653f5ba285930d2ba622db7d613d590fed2f3e64 /sshkey-xmss.c
parent	9b9e3ca6945351eefb821ff783a4a8e6d9b98b9a (diff)