From 296ec8eae0c834088a491643a937d881bfb4b5dd Mon Sep 17 00:00:00 2001 From: Ed Maste Date: Mon, 6 Feb 2023 11:26:08 -0500 Subject: ssh: fix double-free caused by compat_kex_proposal() Security: CVE-2023-25136 Obtained from: OpenSSH-portable commit 12da78233364 Sponsored by: The FreeBSD Foundation (cherry picked from commit fe1371e8f3d7336748d291a7360b2aacce943fb1) --- crypto/openssh/compat.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/crypto/openssh/compat.c b/crypto/openssh/compat.c index 46dfe3a9c2e7..478a9403eeaa 100644 --- a/crypto/openssh/compat.c +++ b/crypto/openssh/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.120 2022/07/01 03:35:45 dtucker Exp $ */ +/* $OpenBSD: compat.c,v 1.121 2023/02/02 12:10:05 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -190,26 +190,26 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) char * compat_kex_proposal(struct ssh *ssh, char *p) { - char *cp = NULL; + char *cp = NULL, *cp2 = NULL; if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) return xstrdup(p); debug2_f("original KEX proposal: %s", p); if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) - if ((p = match_filter_denylist(p, + if ((cp = match_filter_denylist(p, "curve25519-sha256@libssh.org")) == NULL) fatal("match_filter_denylist failed"); if ((ssh->compat & SSH_OLD_DHGEX) != 0) { - cp = p; - if ((p = match_filter_denylist(p, + if ((cp2 = match_filter_denylist(cp ? cp : p, "diffie-hellman-group-exchange-sha256," "diffie-hellman-group-exchange-sha1")) == NULL) fatal("match_filter_denylist failed"); free(cp); + cp = cp2; } - debug2_f("compat KEX proposal: %s", p); - if (*p == '\0') + if (cp == NULL || *cp == '\0') fatal("No supported key exchange algorithms found"); - return p; + debug2_f("compat KEX proposal: %s", cp); + return cp; } -- cgit v1.2.3