summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormarkus@openbsd.org <markus@openbsd.org>2016-10-10 19:28:48 +0000
committerDamien Miller <djm@mindrot.org>2016-10-13 18:55:25 +1100
commitec165c392ca54317dbe3064a8c200de6531e89ad (patch)
tree182cf0aac804c8f47d72b84603e063567f07ee40
parent29d40319392e6e19deeca9d45468aa1119846e50 (diff)
upstream commit
Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
Diffstat
-rw-r--r--kex.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/kex.c b/kex.c
index 3f97f8c00..6a94bc535 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kex.c,v 1.126 2016/09/28 21:44:52 djm Exp $ */ 1/* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * 4 *
@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
481 if (kex == NULL) 481 if (kex == NULL)
482 return SSH_ERR_INVALID_ARGUMENT; 482 return SSH_ERR_INVALID_ARGUMENT;
483 483
484 ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
484 ptr = sshpkt_ptr(ssh, &dlen); 485 ptr = sshpkt_ptr(ssh, &dlen);
485 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) 486 if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
486 return r; 487 return r;
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-05 12:44:20 +0000