upstream: delay bailout for invalid authenticating user

... until after the packet containing the request has been fully parsed.
Reported by Dariusz Tytko and Michał Sajdak; ok deraadt

OpenBSD-Commit-ID: b4891882fbe413f230fe8ac8a37349b03bd0b70d

Origin: backport, http://anongit.mindrot.org/openssh.git/commit/?id=74287f5df9966a0648b4a68417451dd18f079ab8
Bug-Debian: https://bugs.debian.org/906236
Last-Update: 2018-08-17

Patch-Name: upstream-delay-bailout-for-invalid-authenticating-user.patch

1 files changed, 6 insertions, 3 deletions

diff --git a/auth2-gss.c b/auth2-gss.c
index fd411d3a7..88bc3ae7b 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -104,9 +104,6 @@ userauth_gssapi(struct ssh *ssh)
         u_int len;
         u_char *doid = NULL;
 
-        if (!authctxt->valid || authctxt->user == NULL)
-                return (0);
-
         mechs = packet_get_int();
         if (mechs == 0) {
                 debug("Mechanism negotiation is not supported");
@@ -137,6 +134,12 @@ userauth_gssapi(struct ssh *ssh)
                 return (0);
         }
 
+        if (!authctxt->valid || authctxt->user == NULL) {
+                debug2("%s: disabled because of invalid user", __func__);
+                free(doid);
+                return (0);
+        }
+
         if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
                 if (ctxt != NULL)
                         ssh_gssapi_delete_ctx(&ctxt);