From e3246ceb7e5e1d49b0a751012c064957518e483c Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Fri, 16 Jun 2017 22:35:18 +0800
Subject: [PATCH] check p and q lengths

--HG--
branch : fuzz
---
 dss.c | 13 ++++++++++---
 dss.h |  3 +++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/dss.c b/dss.c
index 8f4f195..a3b4dce 100644
--- a/dss.c
+++ b/dss.c
@@ -61,8 +61,15 @@ int buf_get_dss_pub_key(buffer* buf, dropbear_dss_key *key) {
 		goto out;
 	}
 
-	if (mp_count_bits(key->p) < MIN_DSS_KEYLEN) {
-		dropbear_log(LOG_WARNING, "DSS key too short");
+	if (mp_count_bits(key->p) < DSS_P_BITS) {
+		dropbear_log(LOG_WARNING, "Bad DSS p");
+		TRACE(("leave buf_get_dss_pub_key: short key"))
+		ret = DROPBEAR_FAILURE;
+		goto out;
+	}
+
+	if (mp_count_bits(key->q) < DSS_Q_BITS) {
+		dropbear_log(LOG_WARNING, "Bad DSS q");
 		TRACE(("leave buf_get_dss_pub_key: short key"))
 		ret = DROPBEAR_FAILURE;
 		goto out;
@@ -94,7 +101,7 @@ int buf_get_dss_priv_key(buffer* buf, dropbear_dss_key *key) {
 	m_mp_alloc_init_multi(&key->x, NULL);
 	ret = buf_getmpint(buf, key->x);
 	if (ret == DROPBEAR_FAILURE) {
-		m_mp_free_multi(&key->x);
+		m_mp_free_multi(&key->x, NULL);
 	}
 
 	return ret;
diff --git a/dss.h b/dss.h
index adf2d55..4d11c0a 100644
--- a/dss.h
+++ b/dss.h
@@ -41,6 +41,9 @@ typedef struct {
 
 } dropbear_dss_key;
 
+#define DSS_P_BITS 1024
+#define DSS_Q_BITS 160
+
 void buf_put_dss_sign(buffer* buf, dropbear_dss_key *key, buffer *data_buf);
 #if DROPBEAR_SIGNKEY_VERIFY
 int buf_dss_verify(buffer* buf, dropbear_dss_key *key, buffer *data_buf);