upstream: more strictly enforce KEX state-machine by banning packet

types once they are received. Fixes memleak caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (spotted by portable OpenSSH kex_fuzz via oss-fuzz #30078). ok markus@ OpenBSD-Commit-ID: 87331c715c095b587d5c88724694cdeb701c9def
author: djm@openbsd.org <djm@openbsd.org> 2021-01-31 22:55:29 +0000
committer: Damien Miller <djm@mindrot.org> 2021-02-01 09:57:28 +1100
commit: 3dd0c64e08f1bba21d71996d635c7256c8c139d1 (patch)
tree: 8b1e590fba33fd7ebd8637970a8c67a266cf6035 /kexgen.c
parent: 7a92a324a2e351fabd0ba8ef9b434d3b12d54ee3 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/kexgen.c b/kexgen.c
index 39a848f2..35b83ccf 100644
--- a/kexgen.c
+++ b/kexgen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgen.c,v 1.5 2020/12/29 00:59:15 djm Exp $ */
+/* $OpenBSD: kexgen.c,v 1.6 2021/01/31 22:55:29 djm Exp $ */
 /*
  * Copyright (c) 2019 Markus Friedl.  All rights reserved.
  *
@@ -148,6 +148,9 @@ input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh)
 	size_t slen, hashlen;
 	int r;
 
+	debug("SSH2_MSG_KEX_ECDH_REPLY received");
+	ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_REPLY, &kex_protocol_error);
+
 	/* hostkey */
 	if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
 		goto out;
@@ -254,6 +257,9 @@ input_kex_gen_init(int type, u_int32_t seq, struct ssh *ssh)
 	size_t slen, hashlen;
 	int r;
 
+	debug("SSH2_MSG_KEX_ECDH_INIT received");
+	ssh_dispatch_set(ssh, SSH2_MSG_KEX_ECDH_INIT, &kex_protocol_error);
+
 	if ((r = kex_load_hostkey(ssh, &server_host_private,
 	    &server_host_public)) != 0)
 		goto out;
author	djm@openbsd.org <djm@openbsd.org>	2021-01-31 22:55:29 +0000
committer	Damien Miller <djm@mindrot.org>	2021-02-01 09:57:28 +1100
commit	3dd0c64e08f1bba21d71996d635c7256c8c139d1 (patch)
tree	8b1e590fba33fd7ebd8637970a8c67a266cf6035 /kexgen.c
parent	7a92a324a2e351fabd0ba8ef9b434d3b12d54ee3 (diff)