3 files changed, 12 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index 862d55eaa..a10870522 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -97,6 +97,10 @@
      [packet.c]
      Move some more statics into session_state
      ok markus@ djm@
+   - dtucker@cvs.openbsd.org 2009/06/21 07:37:15
+     [kexdhs.c kexgexs.c]
+     abort if key_sign fails, preventing possible null deref.  Based on report
+     from Paolo Ganci, ok markus@ djm@
 
 20090616
  - (dtucker) [configure.ac defines.h] Bug #1607: handle the case where fsid_t
diff --git a/kexdhs.c b/kexdhs.c
index 861708818..a6719f672 100644
--- a/kexdhs.c
+++ b/kexdhs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexdhs.c,v 1.9 2006/11/06 21:25:28 markus Exp $ */
+/* $OpenBSD: kexdhs.c,v 1.10 2009/06/21 07:37:15 dtucker Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -137,7 +137,9 @@ kexdh_server(Kex *kex)
         }
 
         /* sign H */
-        PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
+        if (PRIVSEP(key_sign(server_host_key, &signature, &slen, hash,
+            hashlen)) < 0)
+                fatal("kexdh_server: key_sign failed");
 
         /* destroy_sensitive_data(); */
 
diff --git a/kexgexs.c b/kexgexs.c
index 76a0f8ca7..8515568b3 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexs.c,v 1.11 2009/01/01 21:17:36 djm Exp $ */
+/* $OpenBSD: kexgexs.c,v 1.12 2009/06/21 07:37:15 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -179,7 +179,9 @@ kexgex_server(Kex *kex)
         }
 
         /* sign H */
-        PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
+        if (PRIVSEP(key_sign(server_host_key, &signature, &slen, hash,
+            hashlen)) < 0)
+                fatal("kexgex_server: key_sign failed");
 
         /* destroy_sensitive_data(); */