From e00ef9635a487f408e723540b1cbb3b6872af9ca Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Tue, 22 Oct 2019 11:52:28 +0200
Subject: [PATCH] packet: Do not deref a NULL pointer in
 ssh_packet_set_newkeys()

Fixes T183

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
 src/packet.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/packet.c b/src/packet.c
index 80e2a982..f9971827 100644
--- a/src/packet.c
+++ b/src/packet.c
@@ -1884,6 +1884,10 @@ ssh_packet_set_newkeys(ssh_session session,
             direction & SSH_DIRECTION_IN ? " IN " : "",
             direction & SSH_DIRECTION_OUT ? " OUT " : "");
 
+    if (session->next_crypto == NULL) {
+        return SSH_ERROR;
+    }
+
     session->next_crypto->used |= direction;
     if (session->current_crypto != NULL) {
         if (session->current_crypto->used & direction) {
@@ -1949,6 +1953,11 @@ ssh_packet_set_newkeys(ssh_session session,
         return SSH_ERROR;
     }
 
+    if (session->next_crypto->in_cipher == NULL ||
+        session->next_crypto->out_cipher == NULL) {
+        return SSH_ERROR;
+    }
+
     /* Initialize rekeying states */
     ssh_init_rekey_state(session,
                          session->next_crypto->out_cipher);