diff options
author | djm@openbsd.org <djm@openbsd.org> | 2021-01-31 22:55:29 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2021-02-01 09:57:28 +1100 |
commit | 3dd0c64e08f1bba21d71996d635c7256c8c139d1 (patch) | |
tree | 8b1e590fba33fd7ebd8637970a8c67a266cf6035 /kexgexs.c | |
parent | 7a92a324a2e351fabd0ba8ef9b434d3b12d54ee3 (diff) | |
download | openssh-git-3dd0c64e08f1bba21d71996d635c7256c8c139d1.tar.gz |
upstream: more strictly enforce KEX state-machine by banning packet
types once they are received. Fixes memleak caused by duplicate
SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via
oss-fuzz #30078).
ok markus@
OpenBSD-Commit-ID: 87331c715c095b587d5c88724694cdeb701c9def
Diffstat (limited to 'kexgexs.c')
-rw-r--r-- | kexgexs.c | 7 |
1 files changed, 6 insertions, 1 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexs.c,v 1.42 2019/01/23 00:30:41 djm Exp $ */ +/* $OpenBSD: kexgexs.c,v 1.43 2021/01/31 22:55:29 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -77,6 +77,8 @@ input_kex_dh_gex_request(int type, u_int32_t seq, struct ssh *ssh) const BIGNUM *dh_p, *dh_g; debug("SSH2_MSG_KEX_DH_GEX_REQUEST received"); + ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST, &kex_protocol_error); + if ((r = sshpkt_get_u32(ssh, &min)) != 0 || (r = sshpkt_get_u32(ssh, &nbits)) != 0 || (r = sshpkt_get_u32(ssh, &max)) != 0 || @@ -136,6 +138,9 @@ input_kex_dh_gex_init(int type, u_int32_t seq, struct ssh *ssh) size_t slen, hashlen; int r; + debug("SSH2_MSG_KEX_DH_GEX_INIT received"); + ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_INIT, &kex_protocol_error); + if ((r = kex_load_hostkey(ssh, &server_host_private, &server_host_public)) != 0) goto out; |