svn commit: r308196 - vendor-crypto/openssh/dist
Xin LI
delphij at FreeBSD.org
Wed Nov 2 06:43:22 UTC 2016
Author: delphij
Date: Wed Nov 2 06:43:20 2016
New Revision: 308196
URL: https://svnweb.freebsd.org/changeset/base/308196
Log:
Apply upstream fix for CVE-2016-8858:
Unregister the KEXINIT handler after message has been received.
Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed.
Reported by shilei-c at 360.cn
Obtained from: OpenBSD
Modified:
vendor-crypto/openssh/dist/kex.c
Modified: vendor-crypto/openssh/dist/kex.c
==============================================================================
--- vendor-crypto/openssh/dist/kex.c Wed Nov 2 06:37:35 2016 (r308195)
+++ vendor-crypto/openssh/dist/kex.c Wed Nov 2 06:43:20 2016 (r308196)
@@ -468,6 +468,7 @@ kex_input_kexinit(int type, u_int32_t se
if (kex == NULL)
return SSH_ERR_INVALID_ARGUMENT;
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
ptr = sshpkt_ptr(ssh, &dlen);
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
return r;
More information about the svn-src-vendor
mailing list