> + const BIGNUM *pub_key; > + if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0) > + goto out; > + DH_get0_key(kex->dh, &pub_key, NULL); > + if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_INIT)) != 0 || > + (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 || > + (r = sshpkt_send(ssh)) != 0) { > goto out; > + } > + } > debug("SSH2_MSG_KEX_DH_GEX_INIT sent"); > #ifdef DEBUG_KEXDH > DHparams_print_fp(stderr, kex->dh); > @@ -134,10 +140,12 @@ input_kex_dh_gex_group(int type, u_int32 > ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REPLY, > &input_kex_dh_gex_reply); > r = 0; > out: > - if (p) > + if (r != 0) { > BN_clear_free(p); > - if (g) > BN_clear_free(g); > + DH_free(kex->dh); > + kex->dh = NULL; > + } > return r;
BN_clear_free will null deref on this error path I think