openbsd/src
1
0
Fork 0
mirror of https://github.com/openbsd/src.git synced 2026-06-18 15:23:33 +02:00
Code Activity

make the transport protocol stricter by disconnecting if the peer

Browse Source 
sends non-KEX messages during a key re-exchange.

Previously an evil peer could continue sending non-KEX messages
without penalty, causing memory to be wasted up until the
connection terminated or the server/client hit a OOM limit.

reported by Marko Jevtic; ok markus@
This commit is contained in:
djm
2026-05-31 04:44:38 +00:00
parent 0f4d9fd15f
commit 9032e60e13
3 changed files with 17 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
usr.bin/ssh/kex.c
+7 -2
View File
@@ -1,4 +1,4 @@
/* $OpenBSD: kex.c,v 1.193 2026/03/05 05:40:35 djm Exp $ */
/* $OpenBSD: kex.c,v 1.194 2026/05/31 04:44:38 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -565,7 +565,7 @@ kex_input_newkeys(int type, uint32_t seq, struct ssh *ssh)
kex->done = 1;
kex->flags &= ~KEX_INITIAL;
sshbuf_reset(kex->peer);
kex->flags &= ~KEX_INIT_SENT;
kex->flags &= ~(KEX_INIT_SENT|KEX_INIT_RECVD);
return 0;
}
@@ -623,6 +623,11 @@ kex_input_kexinit(int type, uint32_t seq, struct ssh *ssh)
}
free(kex->name);
kex->name = NULL;
if ((kex->flags & KEX_INIT_RECVD) != 0) {
ssh_packet_disconnect(ssh,
"multiple KEXINIT received from peer");
}
kex->flags |= KEX_INIT_RECVD;
ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error);
ptr = sshpkt_ptr(ssh, &dlen);
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
usr.bin/ssh/kex.h
+2 -1
View File
@@ -1,4 +1,4 @@
/* $OpenBSD: kex.h,v 1.129 2026/03/05 05:40:36 djm Exp $ */
/* $OpenBSD: kex.h,v 1.130 2026/05/31 04:44:38 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -108,6 +108,7 @@ enum kex_exchange {
#define KEX_HAS_PING 0x0020
#define KEX_HAS_EXT_INFO_IN_AUTH 0x0040
#define KEX_HAS_NEWAGENT 0x0080 /* only set in client */
#define KEX_INIT_RECVD 0x0100
/* kex->pq */
#define KEX_NOT_PQ 0
usr.bin/ssh/packet.c
+8 -1
View File
@@ -1,4 +1,4 @@
/* $OpenBSD: packet.c,v 1.337 2026/05/31 04:37:56 djm Exp $ */
/* $OpenBSD: packet.c,v 1.338 2026/05/31 04:44:38 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1929,6 +1929,13 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, uint32_t *seqnr_p)
DBG(debug("Received SSH2_MSG_PONG len %zu", len));
break;
default:
if (ssh->kex != NULL &&
(ssh->kex->flags & KEX_INIT_RECVD) != 0 &&
!ssh_packet_type_is_kex(*typep)) {
error("non-transport message %u received "
"from peer during key exchange", *typep);
return SSH_ERR_PROTOCOL_ERROR;
}
return 0;
}
}