From d51dc0d80eba186a9439dade695a5169261366cd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <mail@cynapses.org>
Date: Tue, 7 Apr 2009 19:27:50 +0000
Subject: [PATCH] Add more error checks to ssh_get_kex().

git-svn-id: svn+ssh://svn.berlios.de/svnroot/repos/libssh/trunk@421 7dcaeef0-15fb-0310-b436-a5af3365683c
---
 libssh/client.c |   2 +-
 libssh/kex.c    | 126 +++++++++++++++++++++++++++++-------------------
 libssh/server.c |   3 +-
 3 files changed, 79 insertions(+), 52 deletions(-)

diff --git a/libssh/client.c b/libssh/client.c
index 63c5de6d..d91c55cb 100644
--- a/libssh/client.c
+++ b/libssh/client.c
@@ -351,7 +351,7 @@ int ssh_connect(SSH_SESSION *session){
   set_status(options,0.5);
   switch(session->version){
       case 2:
-        if(ssh_get_kex(session,0)){
+        if(ssh_get_kex(session,0) < 0) {
             ssh_socket_close(session->socket);
             session->alive=0;
             leave_function();
diff --git a/libssh/kex.c b/libssh/kex.c
index 803141e6..0d89f305 100644
--- a/libssh/kex.c
+++ b/libssh/kex.c
@@ -229,57 +229,83 @@ char *ssh_find_matching(const char *in_d, const char *what_d){
     return NULL;
 }
 
-int ssh_get_kex(SSH_SESSION *session,int server_kex ){
-    STRING *str;
-    char *strings[10];
-    int i;
-    enter_function();
-    if(packet_wait(session,SSH2_MSG_KEXINIT,1)){
-    	leave_function();
-    	return -1;
-    }
-    if(buffer_get_data(session->in_buffer,session->server_kex.cookie,16)!=16){
-        ssh_set_error(session,SSH_FATAL,"get_kex(): no cookie in packet");
-        leave_function();
-        return -1;
-    }
-    if (hashbufin_add_cookie(session, session->server_kex.cookie) < 0) {
-        ssh_set_error(session, SSH_FATAL, "get_kex(): adding cookie failed");
-        leave_function();
-        return -1;
-    }
-    memset(strings,0,sizeof(char *)*10);
-    for(i=0;i<10;++i){
-        str=buffer_get_ssh_string(session->in_buffer);
-        if(!str)
-            break;
-        if(str){
-            buffer_add_ssh_string(session->in_hashbuf,str);
-            strings[i]=string_to_char(str);
-            free(str);
-        } else
-            strings[i]=NULL;
-    }
-    /* copy the server kex info into an array of strings */
-    if(server_kex){
-        session->client_kex.methods = malloc(10 * sizeof(char **));
-        if (session->client_kex.methods == NULL) {
-          leave_function();
-          return -1;
-        }
-        for(i=0;i<10;++i)
-            session->client_kex.methods[i]=strings[i];
-    } else { // client     
-        session->server_kex.methods = malloc(10 * sizeof(char **));
-        if (session->server_kex.methods == NULL) {
-          leave_function();
-          return -1;
-        }
-        for(i=0;i<10;++i)
-            session->server_kex.methods[i]=strings[i];
-    }
+int ssh_get_kex(SSH_SESSION *session, int server_kex) {
+  STRING *str = NULL;
+  char *strings[10];
+  int i;
+
+  enter_function();
+
+  if (packet_wait(session, SSH2_MSG_KEXINIT, 1)) {
     leave_function();
-    return 0;
+    return -1;
+  }
+
+  if (buffer_get_data(session->in_buffer,session->server_kex.cookie,16) != 16) {
+    ssh_set_error(session, SSH_FATAL, "get_kex(): no cookie in packet");
+    leave_function();
+    return -1;
+  }
+
+  if (hashbufin_add_cookie(session, session->server_kex.cookie) < 0) {
+    ssh_set_error(session, SSH_FATAL, "get_kex(): adding cookie failed");
+    leave_function();
+    return -1;
+  }
+
+  memset(strings, 0, sizeof(char *) * 10);
+
+  for (i = 0; i < 10; i++) {
+    str = buffer_get_ssh_string(session->in_buffer);
+    if (str == NULL) {
+      break;
+    }
+
+    if (buffer_add_ssh_string(session->in_hashbuf, str) < 0) {
+      goto error;
+    }
+
+    strings[i] = string_to_char(str);
+    if (strings[i] == NULL) {
+      goto error;
+    }
+    string_free(str);
+    str = NULL;
+  }
+
+  /* copy the server kex info into an array of strings */
+  if (server_kex) {
+    session->client_kex.methods = malloc(10 * sizeof(char **));
+    if (session->client_kex.methods == NULL) {
+      leave_function();
+      return -1;
+    }
+
+    for (i = 0; i < 10; i++) {
+      session->client_kex.methods[i] = strings[i];
+    }
+  } else { /* client */
+    session->server_kex.methods = malloc(10 * sizeof(char **));
+    if (session->server_kex.methods == NULL) {
+      leave_function();
+      return -1;
+    }
+
+    for (i = 0; i < 10; i++) {
+      session->server_kex.methods[i] = strings[i];
+    }
+  }
+
+  leave_function();
+  return 0;
+error:
+  string_free(str);
+  for (i = 0; i < 10; i++) {
+    SAFE_FREE(strings[i]);
+  }
+
+  leave_function();
+  return -1;
 }
 
 void ssh_list_kex(struct ssh_session *session, KEX *kex) {
diff --git a/libssh/server.c b/libssh/server.c
index 6aebf673..88b87286 100644
--- a/libssh/server.c
+++ b/libssh/server.c
@@ -339,8 +339,9 @@ int ssh_accept(SSH_SESSION *session){
       return -1;
     }
     ssh_send_kex(session,1);
-    if(ssh_get_kex(session,1))
+    if(ssh_get_kex(session,1) < 0) {
         return -1;
+    }
     ssh_list_kex(session, &session->client_kex);
     crypt_set_algorithms_server(session);
     if(dh_handshake_server(session))