CVE-2015-3146: Fix state validation in packet handlers

The state validation in the packet handlers for SSH_MSG_NEWKEYS and SSH_MSG_KEXDH_REPLY had a bug which did not raise an error. The issue has been found and reported by Mariusz Ziule. Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
author: Aris Adamantiadis <aris@0xbadc0de.be> 2015-04-15 16:08:37 +0200
committer: Andreas Schneider <asn@cryptomilk.org> 2015-04-23 10:15:47 +0200
commit: bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe (patch)
tree: 0375ca3419731a32b6192b362e8d78db01dfd8f9 /src/server.c
parent: b5dc8197f78b6639ca75aa93d6c421c0181d0f32 (diff)
download: libssh-bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe.tar.gz
libssh-bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe.tar.xz
libssh-bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe.zip
1 files changed, 5 insertions, 3 deletions
diff --git a/src/server.c b/src/server.c
index 61641a6e..01145764 100644
--- a/src/server.c
+++ b/src/server.c
@@ -172,7 +172,7 @@ static int ssh_server_kexdh_init(ssh_session session, ssh_buffer packet){
 }
 
 SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
-  int rc;
+  int rc = SSH_ERROR;
   (void)type;
   (void)user;
 
@@ -209,9 +209,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
         ssh_set_error(session,SSH_FATAL,"Wrong kex type in ssh_packet_kexdh_init");
         rc = SSH_ERROR;
   }
-  if (rc == SSH_ERROR)
+
+error:
+  if (rc == SSH_ERROR) {
       session->session_state = SSH_SESSION_STATE_ERROR;
-  error:
+  }
 
   return SSH_PACKET_USED;
 }
author	Aris Adamantiadis <aris@0xbadc0de.be>	2015-04-15 16:08:37 +0200
committer	Andreas Schneider <asn@cryptomilk.org>	2015-04-23 10:15:47 +0200
commit	bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe (patch)
tree	0375ca3419731a32b6192b362e8d78db01dfd8f9 /src/server.c
parent	b5dc8197f78b6639ca75aa93d6c421c0181d0f32 (diff)
download	libssh-bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe.tar.gz libssh-bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe.tar.xz libssh-bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe.zip