From 6ae35ac5762b6abcbd416e7db9246e730b401f10 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Sun, 21 Jun 2009 19:00:20 +1000
Subject: [PATCH]    - dtucker@cvs.openbsd.org 2009/06/21 07:37:15     
 [kexdhs.c kexgexs.c]      abort if key_sign fails, preventing possible null
 deref.  Based on report      from Paolo Ganci, ok markus@ djm@

---
 ChangeLog | 4 ++++
 kexdhs.c  | 6 ++++--
 kexgexs.c | 6 ++++--
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 862d55eaa..a10870522 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -97,6 +97,10 @@
      [packet.c]
      Move some more statics into session_state
      ok markus@ djm@
+   - dtucker@cvs.openbsd.org 2009/06/21 07:37:15
+     [kexdhs.c kexgexs.c]
+     abort if key_sign fails, preventing possible null deref.  Based on report
+     from Paolo Ganci, ok markus@ djm@
 
 20090616
  - (dtucker) [configure.ac defines.h] Bug #1607: handle the case where fsid_t
diff --git a/kexdhs.c b/kexdhs.c
index 861708818..a6719f672 100644
--- a/kexdhs.c
+++ b/kexdhs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexdhs.c,v 1.9 2006/11/06 21:25:28 markus Exp $ */
+/* $OpenBSD: kexdhs.c,v 1.10 2009/06/21 07:37:15 dtucker Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -137,7 +137,9 @@ kexdh_server(Kex *kex)
 	}
 
 	/* sign H */
-	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
+	if (PRIVSEP(key_sign(server_host_key, &signature, &slen, hash,
+	    hashlen)) < 0)
+		fatal("kexdh_server: key_sign failed");
 
 	/* destroy_sensitive_data(); */
 
diff --git a/kexgexs.c b/kexgexs.c
index 76a0f8ca7..8515568b3 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexs.c,v 1.11 2009/01/01 21:17:36 djm Exp $ */
+/* $OpenBSD: kexgexs.c,v 1.12 2009/06/21 07:37:15 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -179,7 +179,9 @@ kexgex_server(Kex *kex)
 	}
 
 	/* sign H */
-	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
+	if (PRIVSEP(key_sign(server_host_key, &signature, &slen, hash,
+	    hashlen)) < 0)
+		fatal("kexgex_server: key_sign failed");
 
 	/* destroy_sensitive_data(); */