CVE-2015-3146: Fix state validation in packet handlers

The state validation in the packet handlers for SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY had a bug which did not raise an error. The issue has been found and reported by Mariusz Ziule. Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> (cherry picked from commit bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe)
author: Aris Adamantiadis <aris@0xbadc0de.be> 2015-04-15 16:08:37 +0200
committer: Andreas Schneider <asn@cryptomilk.org> 2015-04-23 10:34:12 +0200
commit: 94f6955fbaee6fda9385a23e505497efe21f5b4f (patch)
tree: 8b6690bb098619050e3216f3842f3fa0aabfe284 /src/server.c
parent: d2a990a68ea555d7003edc94eb076356604facea (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/src/server.c b/src/server.c
index 35281caa..1637cce8 100644
--- a/src/server.c
+++ b/src/server.c
@@ -165,7 +165,7 @@ static int ssh_server_kexdh_init(ssh_session session, ssh_buffer packet){
 }
 
 SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
-  int rc;
+  int rc = SSH_ERROR;
   (void)type;
   (void)user;
 
@@ -193,9 +193,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
         ssh_set_error(session,SSH_FATAL,"Wrong kex type in ssh_packet_kexdh_init");
         rc = SSH_ERROR;
   }
-  if (rc == SSH_ERROR)
+
+error:
+  if (rc == SSH_ERROR) {
       session->session_state = SSH_SESSION_STATE_ERROR;
-  error:
+  }
 
   return SSH_PACKET_USED;
 }
author	Aris Adamantiadis <aris@0xbadc0de.be>	2015-04-15 16:08:37 +0200
committer	Andreas Schneider <asn@cryptomilk.org>	2015-04-23 10:34:12 +0200
commit	94f6955fbaee6fda9385a23e505497efe21f5b4f (patch)
tree	8b6690bb098619050e3216f3842f3fa0aabfe284 /src/server.c
parent	d2a990a68ea555d7003edc94eb076356604facea (diff)