From 73be9fab04691ab6d1e1cabe39b4c79b9c7421ba Mon Sep 17 00:00:00 2001 From: Jasmeet Bagga Date: Tue, 2 Nov 2010 00:02:25 +0100 Subject: [PATCH] kex_agree_hostkey: fix NULL pointer derefence While setting up the session, ssh tries to determine the type of encryption method it can use for the session. This requires looking at the keys offered by the remote host and comparing these with the methods supported by libssh2 (rsa & dss). To do this there is an iteration over the array containing the methods supported by libssh2. If there is no agreement on the type of encryption we come to the 3rd entry of the hostkeyp array. Here hostkeyp is valid but *hostkep is NULL. Thus when we dereference that in (*hostkeyp)->name there is a crash --- src/kex.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/kex.c b/src/kex.c index 54527ea0..cbfe26a4 100644 --- a/src/kex.c +++ b/src/kex.c @@ -1273,7 +1273,7 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session, return -1; } - while (hostkeyp && (*hostkeyp)->name) { + while (hostkeyp && (*hostkeyp) && (*hostkeyp)->name) { s = kex_agree_instr(hostkey, hostkey_len, (unsigned char *) (*hostkeyp)->name, strlen((*hostkeyp)->name));