curve25519: Fix memory leaks in ssh_server_curve25519_init().

CID #1125255
2013-11-27 20:26:14 +01:00 · 2013-11-27 20:26:14 +01:00 · fd185acbea
--- a/src/curve25519.c
+++ b/src/curve25519.c
@ -195,44 +195,36 @@ int ssh_server_curve25519_init(ssh_session session, ssh_buffer packet){

    rc = ssh_get_random(session->next_crypto->curve25519_privkey, CURVE25519_PRIVKEY_SIZE, 1);
    if (rc == 0){
-  	  ssh_set_error(session, SSH_FATAL, "PRNG error");
-  	  return SSH_ERROR;
+        ssh_set_error(session, SSH_FATAL, "PRNG error");
+        return SSH_ERROR;
    }

    crypto_scalarmult_base(session->next_crypto->curve25519_server_pubkey,
  		  session->next_crypto->curve25519_privkey);

-    q_s_string = ssh_string_new(CURVE25519_PUBKEY_SIZE);
-    if (q_s_string == NULL) {
-        return SSH_ERROR;
-    }
-
-    ssh_string_fill(q_s_string, session->next_crypto->curve25519_server_pubkey,
-    		CURVE25519_PUBKEY_SIZE);
-
    rc = buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_REPLY);
    if (rc < 0) {
        ssh_set_error_oom(session);
-        return SSH_ERROR;
+        goto error;
    }

    /* build k and session_id */
    rc = ssh_curve25519_build_k(session);
    if (rc < 0) {
        ssh_set_error(session, SSH_FATAL, "Cannot build k number");
-        return SSH_ERROR;
+        goto error;
    }

    /* privkey is not allocated */
    rc = ssh_get_key_params(session, &privkey);
    if (rc == SSH_ERROR) {
-        return SSH_ERROR;
+        goto error;
    }

    rc = make_sessionid(session);
    if (rc != SSH_OK) {
        ssh_set_error(session, SSH_FATAL, "Could not create a session id");
-        return SSH_ERROR;
+        goto error;
    }

    /* add host's public key */
@ -240,29 +232,37 @@ int ssh_server_curve25519_init(ssh_session session, ssh_buffer packet){
                               session->next_crypto->server_pubkey);
    if (rc < 0) {
        ssh_set_error_oom(session);
-        return SSH_ERROR;
+        goto error;
    }

    /* add ecdh public key */
+    q_s_string = ssh_string_new(CURVE25519_PUBKEY_SIZE);
+    if (q_s_string == NULL) {
+        goto error;
+    }
+
+    ssh_string_fill(q_s_string,
+                    session->next_crypto->curve25519_server_pubkey,
+                    CURVE25519_PUBKEY_SIZE);
+
    rc = buffer_add_ssh_string(session->out_buffer, q_s_string);
    ssh_string_free(q_s_string);
-
    if (rc < 0) {
        ssh_set_error_oom(session);
-        return SSH_ERROR;
+        goto error;
    }
    /* add signature blob */
    sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey);
    if (sig_blob == NULL) {
        ssh_set_error(session, SSH_FATAL, "Could not sign the session id");
-        return SSH_ERROR;
+        goto error;
    }

    rc = buffer_add_ssh_string(session->out_buffer, sig_blob);
    ssh_string_free(sig_blob);
    if (rc < 0) {
        ssh_set_error_oom(session);
-        return SSH_ERROR;
+        goto error;
    }

    SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_KEX_ECDH_REPLY sent");
@ -274,7 +274,7 @@ int ssh_server_curve25519_init(ssh_session session, ssh_buffer packet){
    /* Send the MSG_NEWKEYS */
    rc = buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
    if (rc < 0) {
-        return SSH_ERROR;;
+        goto error;
    }

    session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
@ -282,6 +282,9 @@ int ssh_server_curve25519_init(ssh_session session, ssh_buffer packet){
    SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");

    return rc;
+error:
+    buffer_reinit(session->out_buffer);
+    return SSH_ERROR;
 }

 #endif /* WITH_SERVER */