Author: delphij
Date: Wed Nov 2 06:43:20 2016
New Revision: 308196
URL: https://svnweb.freebsd.org/changeset/base/308196
Log:
Apply upstream fix for CVE-2016-8858:
Unregister the KEXINIT handler after message has been received.
Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed.
Reported by shilei-c at 360.cn
Obtained from: OpenBSD
Modified:
vendor-crypto/openssh/dist/kex.c
Modified: vendor-crypto/openssh/dist/kex.c
==============================================================================
--- vendor-crypto/openssh/dist/kex.c Wed Nov 2 06:37:35 2016
(r308195)
+++ vendor-crypto/openssh/dist/kex.c Wed Nov 2 06:43:20 2016
(r308196)
@@ -468,6 +468,7 @@ kex_input_kexinit(int type, u_int32_t se
if (kex == NULL)
return SSH_ERR_INVALID_ARGUMENT;
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
ptr = sshpkt_ptr(ssh, &dlen);
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
return r;
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
