Date: Wed, 2 Nov 2016 06:43:20 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r308196 - vendor-crypto/openssh/dist Message-ID: <201611020643.uA26hKRA062784@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Nov 2 06:43:20 2016 New Revision: 308196 URL: https://svnweb.freebsd.org/changeset/base/308196 Log: Apply upstream fix for CVE-2016-8858: Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn Obtained from: OpenBSD Modified: vendor-crypto/openssh/dist/kex.c Modified: vendor-crypto/openssh/dist/kex.c ============================================================================== --- vendor-crypto/openssh/dist/kex.c Wed Nov 2 06:37:35 2016 (r308195) +++ vendor-crypto/openssh/dist/kex.c Wed Nov 2 06:43:20 2016 (r308196) @@ -468,6 +468,7 @@ kex_input_kexinit(int type, u_int32_t se if (kex == NULL) return SSH_ERR_INVALID_ARGUMENT; + ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); ptr = sshpkt_ptr(ssh, &dlen); if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) return r;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201611020643.uA26hKRA062784>