From bf0c7ae0aeb0ebe661d11ea6785fff2cbf4f3dbe Mon Sep 17 00:00:00 2001
From: Aris Adamantiadis <aris@0xbadc0de.be>
Date: Wed, 15 Apr 2015 16:08:37 +0200
Subject: CVE-2015-3146: Fix state validation in packet handlers

The state validation in the packet handlers for SSH_MSG_NEWKEYS and
SSH_MSG_KEXDH_REPLY had a bug which did not raise an error.

The issue has been found and reported by Mariusz Ziule.

Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/server.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'src/server.c')

diff --git a/src/server.c b/src/server.c
index 61641a6e..01145764 100644
--- a/src/server.c
+++ b/src/server.c
@@ -172,7 +172,7 @@ static int ssh_server_kexdh_init(ssh_session session, ssh_buffer packet){
 }
 
 SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
-  int rc;
+  int rc = SSH_ERROR;
   (void)type;
   (void)user;
 
@@ -209,9 +209,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
         ssh_set_error(session,SSH_FATAL,"Wrong kex type in ssh_packet_kexdh_init");
         rc = SSH_ERROR;
   }
-  if (rc == SSH_ERROR)
+
+error:
+  if (rc == SSH_ERROR) {
       session->session_state = SSH_SESSION_STATE_ERROR;
-  error:
+  }
 
   return SSH_PACKET_USED;
 }
-- 
cgit