From 362b20a0bc02330949bf49da5973228e875fc0b0 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Mon, 7 May 2018 20:09:56 +0200
Subject: [PATCH] server: Fix segfault in dh_handshake_server()

Thanks to Felix Jones

Fixes T91

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/server.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/server.c b/src/server.c
index 2ff6f0cc..1be948f1 100644
--- a/src/server.c
+++ b/src/server.c
@@ -293,6 +293,7 @@ static int dh_handshake_server(ssh_session session) {
   ssh_key privkey;
   ssh_string sig_blob;
   ssh_string f;
+  ssh_string pubkey_blob = NULL;
   int rc;
 
   if (ssh_dh_generate_y(session) < 0) {
@@ -334,14 +335,23 @@ static int dh_handshake_server(ssh_session session) {
     return -1;
   }
 
+  rc = ssh_dh_get_next_server_publickey_blob(session, &pubkey_blob);
+  if (rc != SSH_OK) {
+      ssh_set_error_oom(session);
+      ssh_string_free(f);
+      ssh_string_free(sig_blob);
+      return -1;
+  }
+
   rc = ssh_buffer_pack(session->out_buffer,
                        "bSSS",
                        SSH2_MSG_KEXDH_REPLY,
-                       session->next_crypto->server_pubkey,
+                       pubkey_blob,
                        f,
                        sig_blob);
   ssh_string_free(f);
   ssh_string_free(sig_blob);
+  ssh_string_free(pubkey_blob);
   if(rc != SSH_OK){
     ssh_set_error_oom(session);
     ssh_buffer_reinit(session->out_buffer);