openbsd/src
1
0
Fork 0
mirror of https://github.com/openbsd/src.git synced 2026-06-18 07:13:36 +02:00
Code Activity

stricter validation of the transport state passed from the

Browse Source 
unprivileged preauth sshd-auth process to the user-privileged
postauth sshd-session process.

These are harmless unless an attacker had an exploit for sshd-auth
in which case they could be used for post-auth memory DoS or to
crash you own session in a new and exciting way.

Reported by bylee3 and Kayky Vinicius

ok markus
This commit is contained in:
djm
2026-05-31 04:37:56 +00:00
parent 204d162f81
commit 0f4d9fd15f
3 changed files with 18 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
usr.bin/ssh/cipher.c
+7 -1
View File
@@ -1,4 +1,4 @@
/* $OpenBSD: cipher.c,v 1.127 2026/05/13 05:58:58 djm Exp $ */
/* $OpenBSD: cipher.c,v 1.128 2026/05/31 04:37:56 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -177,6 +177,12 @@ cipher_is_cbc(const struct sshcipher *c)
return (c->flags & CFLAG_CBC) != 0;
}
u_int
cipher_is_internal(const struct sshcipher *c)
{
return (c->flags & CFLAG_INTERNAL) != 0;
}
u_int
cipher_ctx_is_plaintext(struct sshcipher_ctx *cc)
{
usr.bin/ssh/cipher.h
+2 -1
View File
@@ -1,4 +1,4 @@
/* $OpenBSD: cipher.h,v 1.56 2023/10/10 06:49:54 tb Exp $ */
/* $OpenBSD: cipher.h,v 1.57 2026/05/31 04:37:56 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -68,6 +68,7 @@ u_int cipher_seclen(const struct sshcipher *);
u_int cipher_authlen(const struct sshcipher *);
u_int cipher_ivlen(const struct sshcipher *);
u_int cipher_is_cbc(const struct sshcipher *);
u_int cipher_is_internal(const struct sshcipher *);
u_int cipher_ctx_is_plaintext(struct sshcipher_ctx *);
usr.bin/ssh/packet.c
+9 -3
View File
@@ -1,4 +1,4 @@
/* $OpenBSD: packet.c,v 1.336 2026/05/31 04:24:39 djm Exp $ */
/* $OpenBSD: packet.c,v 1.337 2026/05/31 04:37:56 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2513,7 +2513,9 @@ newkeys_from_blob(struct sshbuf *m, struct ssh *ssh, int mode)
(r = sshbuf_get_string(b, &enc->key, &keylen)) != 0 ||
(r = sshbuf_get_string(b, &enc->iv, &ivlen)) != 0)
goto out;
if ((enc->cipher = cipher_by_name(enc->name)) == NULL) {
if ((enc->cipher = cipher_by_name(enc->name)) == NULL ||
enc->block_size != cipher_blocksize(enc->cipher) ||
cipher_is_internal(enc->cipher)) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
@@ -2525,7 +2527,7 @@ newkeys_from_blob(struct sshbuf *m, struct ssh *ssh, int mode)
if ((r = sshbuf_get_u32(b, (u_int *)&mac->enabled)) != 0 ||
(r = sshbuf_get_string(b, &mac->key, &maclen)) != 0)
goto out;
if (maclen > mac->key_len) {
if (maclen != mac->key_len) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
@@ -2571,6 +2573,10 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp)
(r = sshbuf_get_stringb(m, kex->session_id)) != 0 ||
(r = sshbuf_get_u32(m, &kex->flags)) != 0)
goto out;
if (kex->we_need > 1024) {
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
kex->server = 1;
kex->done = 1;
r = 0;