From c67b05b269d24d6a60a1843f49bb0242461cf4b0 Mon Sep 17 00:00:00 2001 From: Peter Wagner Date: Mon, 3 Oct 2016 21:38:15 +0200 Subject: [PATCH] openssh: move inbound NEWKEYS handling to kex layer; otherwise early NEWKEYS causes NULL deref see: https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737 Signed-off-by: Peter Wagner --- net/openssh/Makefile | 2 +- ...00-openssh-7.3_p1-NEWKEYS_null_deref.patch | 27 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 net/openssh/patches/100-openssh-7.3_p1-NEWKEYS_null_deref.patch diff --git a/net/openssh/Makefile b/net/openssh/Makefile index 3134e9290..10eb434f5 100644 --- a/net/openssh/Makefile +++ b/net/openssh/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssh PKG_VERSION:=7.3p1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ diff --git a/net/openssh/patches/100-openssh-7.3_p1-NEWKEYS_null_deref.patch b/net/openssh/patches/100-openssh-7.3_p1-NEWKEYS_null_deref.patch new file mode 100644 index 000000000..27e99b2fb --- /dev/null +++ b/net/openssh/patches/100-openssh-7.3_p1-NEWKEYS_null_deref.patch @@ -0,0 +1,27 @@ +Backport of +https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737 + +--- openssh-7.3p1/kex.c ++++ openssh-7.3p1/kex.c +@@ -419,6 +419,8 @@ + ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); + if ((r = sshpkt_get_end(ssh)) != 0) + return r; ++ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) ++ return r; + kex->done = 1; + sshbuf_reset(kex->peer); + /* sshbuf_reset(kex->my); */ +--- openssh-7.3p1/packet.c ++++ openssh-7.3p1/packet.c +@@ -1919,9 +1919,7 @@ + return r; + return SSH_ERR_PROTOCOL_ERROR; + } +- if (*typep == SSH2_MSG_NEWKEYS) +- r = ssh_set_newkeys(ssh, MODE_IN); +- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) ++ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) + r = ssh_packet_enable_delayed_compress(ssh); + else + r = 0;