X-Git-Url: https://git.distorted.org.uk/~mdw/sgt/putty/blobdiff_plain/dfb88efd1c9503370bee8e677bbefad6ef41df85..c16e353eb95120407b78602f0bbaedac57eccf44:/sshdss.c

diff --git a/sshdss.c b/sshdss.c
index 6cf5830d..532c13f2 100644
--- a/sshdss.c
+++ b/sshdss.c
@@ -42,7 +42,9 @@ static void getstring(char **data, int *datalen, char **p, int *length)
     *p = NULL;
     if (*datalen < 4)
 	return;
-    *length = GET_32BIT(*data);
+    *length = toint(GET_32BIT(*data));
+    if (*length < 0)
+        return;
     *datalen -= 4;
     *data += 4;
     if (*datalen < *length)
@@ -98,7 +100,7 @@ static void *dss_newkey(char *data, int len)
     }
 #endif
 
-    if (!p || memcmp(p, "ssh-dss", 7)) {
+    if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
 	sfree(dss);
 	return NULL;
     }
@@ -287,6 +289,8 @@ static int dss_verifysig(void *key, char *sig, int siglen,
 
     freebn(w);
     freebn(sha);
+    freebn(u1);
+    freebn(u2);
     freebn(gu1p);
     freebn(yu2p);
     freebn(gu1yu2p);
@@ -402,6 +406,7 @@ static void *dss_createkey(unsigned char *pub_blob, int pub_len,
     ytest = modpow(dss->g, dss->x, dss->p);
     if (0 != bignum_cmp(ytest, dss->y)) {
 	dss_freekey(dss);
+        freebn(ytest);
 	return NULL;
     }
     freebn(ytest);