diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2021-01-31 23:55:29 +0100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2021-01-31 23:57:28 +0100 |
| commit | 3dd0c64e08f1bba21d71996d635c7256c8c139d1 (patch) | |
| tree | 8b1e590fba33fd7ebd8637970a8c67a266cf6035 /kexgexc.c | |
| parent | upstream: Set linesize returned by getline to zero when freeing and (diff) | |
| download | openssh-3dd0c64e08f1bba21d71996d635c7256c8c139d1.tar.xz openssh-3dd0c64e08f1bba21d71996d635c7256c8c139d1.zip | |
upstream: more strictly enforce KEX state-machine by banning packet
types once they are received. Fixes memleak caused by duplicate
SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via
oss-fuzz #30078).
ok markus@
OpenBSD-Commit-ID: 87331c715c095b587d5c88724694cdeb701c9def
Diffstat (limited to 'kexgexc.c')
| -rw-r--r-- | kexgexc.c | 12 |
1 files changed, 8 insertions, 4 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: kexgexc.c,v 1.36 2021/01/27 09:26:54 djm Exp $ */ +/* $OpenBSD: kexgexc.c,v 1.37 2021/01/31 22:55:29 djm Exp $ */ /* * Copyright (c) 2000 Niels Provos. All rights reserved. * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -83,6 +83,7 @@ kexgex_client(struct ssh *ssh) fprintf(stderr, "\nmin = %d, nbits = %d, max = %d\n", kex->min, kex->nbits, kex->max); #endif + debug("expecting SSH2_MSG_KEX_DH_GEX_GROUP"); ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_GROUP, &input_kex_dh_gex_group); r = 0; @@ -98,7 +99,8 @@ input_kex_dh_gex_group(int type, u_int32_t seq, struct ssh *ssh) const BIGNUM *pub_key; int r, bits; - debug("got SSH2_MSG_KEX_DH_GEX_GROUP"); + debug("SSH2_MSG_KEX_DH_GEX_GROUP received"); + ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_GROUP, &kex_protocol_error); if ((r = sshpkt_get_bignum2(ssh, &p)) != 0 || (r = sshpkt_get_bignum2(ssh, &g)) != 0 || @@ -130,7 +132,7 @@ input_kex_dh_gex_group(int type, u_int32_t seq, struct ssh *ssh) BN_print_fp(stderr, pub_key); fprintf(stderr, "\n"); #endif - ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_GROUP, NULL); + debug("expecting SSH2_MSG_KEX_DH_GEX_REPLY"); ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REPLY, &input_kex_dh_gex_reply); r = 0; out: @@ -153,7 +155,9 @@ input_kex_dh_gex_reply(int type, u_int32_t seq, struct ssh *ssh) size_t slen, hashlen; int r; - debug("got SSH2_MSG_KEX_DH_GEX_REPLY"); + debug("SSH2_MSG_KEX_DH_GEX_REPLY received"); + ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REPLY, &kex_protocol_error); + /* key, cert */ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0) goto out; |