lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-11-27 13:21:11 +03:00
Code Activity

CVE-2021-3634: Create a separate length for session_id

Browse Source 
Normally, the length of session_id and secret_hash is the same,
but if we will get into rekeying with a peer that changes preference
of key exchange algorithm, the new secret hash can be larger or
smaller than the previous session_id causing invalid reads or writes.

Resolves https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35485

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Jakub Jelen
2021-06-23 13:16:33 +02:00
parent a3b2229a4e
commit f5211239f9
10 changed files with 23 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/wrapper.c
View File

@@ -187,7 +187,7 @@ void crypto_free(struct ssh_crypto_struct *crypto)
#endif
SAFE_FREE(crypto->dh_server_signature);
if (crypto->session_id != NULL) {
explicit_bzero(crypto->session_id, crypto->digest_len);
explicit_bzero(crypto->session_id, crypto->session_id_len);
SAFE_FREE(crypto->session_id);
}
if (crypto->secret_hash != NULL) {