From 3653afac3475542ea1d30d5012f1a37c063424c0 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 26 Jan 2021 16:59:42 -0800 Subject: [PATCH 1/2] check that the generator and primeGroup are set before trying to flatten them into output --- src/internal.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/internal.c b/src/internal.c index a665422..0e67975 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2843,6 +2843,13 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx) if (ret == WS_SUCCESS && ssh->handshake->kexId == ID_DH_GEX_SHA256) { byte primeGroupPad = 0, generatorPad = 0; + if (ssh->handshake->primeGroup == NULL || + ssh->handshake->generator == NULL) { + WLOG(WS_LOG_DEBUG, + "DKDR: trying GEX without generator or prime group"); + ret = WS_BAD_ARGUMENT; + } + /* Hash in the client's requested minimum key size. */ if (ret == 0) { c32toa(ssh->handshake->dhGexMinSz, scratchLen); From c7a392d351feb64e9032aa9fe43a5e582736df7e Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 26 Jan 2021 17:36:15 -0800 Subject: [PATCH 2/2] if a handshake info has a stored kex init message already before trying to store a kex init message, free it --- src/internal.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/internal.c b/src/internal.c index 0e67975..4bc7d6a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6352,6 +6352,12 @@ int SendKexInit(WOLFSSH* ssh) ssh->outputBuffer.length = idx; + if (ssh->handshake->kexInit != NULL) { + WFREE(ssh->handshake->kexInit, ssh->ctx->heap, DYNTYPE_STRING); + ssh->handshake->kexInit = NULL; + ssh->handshake->kexInitSz = 0; + } + buf = (byte*)WMALLOC(bufSz, ssh->ctx->heap, DYNTYPE_STRING); if (buf == NULL) { WLOG(WS_LOG_DEBUG, "Cannot allocate storage for KEX Init msg");