diff options
author | Xin LI <delphij@FreeBSD.org> | 2016-11-02 06:43:20 +0000 |
---|---|---|
committer | Xin LI <delphij@FreeBSD.org> | 2016-11-02 06:43:20 +0000 |
commit | 642a1c3843c9c824a6fbcee4d340d711bc049aa9 (patch) | |
tree | 7a5d0b4ca3f274e3682d462f5ed854c2c0d45496 | |
parent | b5a1df4a77c86979aff60b2660dca65aacccbb09 (diff) | |
download | src-642a1c3843c9c824a6fbcee4d340d711bc049aa9.tar.gz src-642a1c3843c9c824a6fbcee4d340d711bc049aa9.zip |
Apply upstream fix for CVE-2016-8858:
Unregister the KEXINIT handler after message has been received.
Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed.
Reported by shilei-c at 360.cn
Obtained from: OpenBSD
Notes
Notes:
svn path=/vendor-crypto/openssh/dist/; revision=308196
-rw-r--r-- | kex.c | 1 |
1 files changed, 1 insertions, 0 deletions
@@ -468,6 +468,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) if (kex == NULL) return SSH_ERR_INVALID_ARGUMENT; + ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); ptr = sshpkt_ptr(ssh, &dlen); if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) return r; |