Subject: [PATCH] knownhost_add: Avoid dereferencing uninitialized memory on error path.

[PATCH] knownhost_add: Avoid dereferencing uninitialized memory on error path.

From: Peter Krempa <pkrempa_at_redhat.com>
Date: Fri, 11 Nov 2011 14:54:57 +0100

In function knownhost_add, memory is alocated for a new entry. If normal
alocation is used, memory is not initialized to 0 right after, but a
check is done to verify if correct key type is passed. This test is done
BEFORE setting the memory to null, and on the error path function
free_host() is called, that tries to dereference unititialized memory,
resulting into a glibc abort().

 * knownhost.c - knownhost_add(): - move typemask check before alloc

---
 src/knownhost.c |   17 +++++++----------
 1 files changed, 7 insertions(+), 10 deletions(-)
diff --git a/src/knownhost.c b/src/knownhost.c
index 7280687..d90f1d4 100644
--- a/src/knownhost.c
+++ b/src/knownhost.c
@@ -131,25 +131,22 @@ knownhost_add(LIBSSH2_KNOWNHOSTS *hosts,
               const char *comment, size_t commentlen,
               int typemask, struct libssh2_knownhost **store)
 {
-    struct known_host *entry =
-        LIBSSH2_ALLOC(hosts->session, sizeof(struct known_host));
+    struct known_host *entry;
     size_t hostlen = strlen(host);
     int rc;
     char *ptr;
     unsigned int ptrlen;
-    if(!entry)
+    /* make sure we have a key type set */
+    if(!(typemask & LIBSSH2_KNOWNHOST_KEY_MASK))
+        return _libssh2_error(hosts->session, LIBSSH2_ERROR_INVAL,
+                              "No key type set");
+
+    if(!(entry = LIBSSH2_ALLOC(hosts->session, sizeof(struct known_host))))
         return _libssh2_error(hosts->session, LIBSSH2_ERROR_ALLOC,
                               "Unable to allocate memory for known host "
                               "entry");
-    /* make sure we have a key type set */
-    if(!(typemask & LIBSSH2_KNOWNHOST_KEY_MASK)) {
-        rc = _libssh2_error(hosts->session, LIBSSH2_ERROR_INVAL,
-                            "No key type set");
-        goto error;
-    }
-
     memset(entry, 0, sizeof(struct known_host));
     entry->typemask = typemask;
-- 
1.7.3.4
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2011-11-11