aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorXin LI <delphij@FreeBSD.org>2016-11-02 06:43:20 +0000
committerXin LI <delphij@FreeBSD.org>2016-11-02 06:43:20 +0000
commit642a1c3843c9c824a6fbcee4d340d711bc049aa9 (patch)
tree7a5d0b4ca3f274e3682d462f5ed854c2c0d45496
parentb5a1df4a77c86979aff60b2660dca65aacccbb09 (diff)
downloadsrc-642a1c3843c9c824a6fbcee4d340d711bc049aa9.tar.gz
src-642a1c3843c9c824a6fbcee4d340d711bc049aa9.zip
Apply upstream fix for CVE-2016-8858:
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn Obtained from: OpenBSD
Notes
Notes: svn path=/vendor-crypto/openssh/dist/; revision=308196
Diffstat
-rw-r--r--kex.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/kex.c b/kex.c
index d371f47c48dd..9c9f56228ea5 100644
--- a/kex.c
+++ b/kex.c
@@ -468,6 +468,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
if (kex == NULL)
return SSH_ERR_INVALID_ARGUMENT;
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
ptr = sshpkt_ptr(ssh, &dlen);
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
return r;
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-24 19:52:01 +0000