lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-11-30 13:01:23 +03:00
Code Activity

CVE-2015-3146: Fix state validation in packet handlers

Browse Source 
The state validation in the packet handlers for SSH_MSG_NEWKEYS and
SSH_MSG_KEXDH_REPLY had a bug which did not raise an error.

The issue has been found and reported by Mariusz Ziule.

Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Aris Adamantiadis
2015-04-15 16:08:37 +02:00
committed by Andreas Schneider
parent b5dc8197f7
commit bf0c7ae0ae
2 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/packet_cb.c
View File

@@ -97,7 +97,7 @@ SSH_PACKET_CALLBACK(ssh_packet_dh_reply){
(void)type;
(void)user;
SSH_LOG(SSH_LOG_PROTOCOL,"Received SSH_KEXDH_REPLY");
if(session->session_state!= SSH_SESSION_STATE_DH &&
if (session->session_state != SSH_SESSION_STATE_DH ||
session->dh_handshake_state != DH_STATE_INIT_SENT){
ssh_set_error(session,SSH_FATAL,"ssh_packet_dh_reply called in wrong state : %d:%d",
session->session_state,session->dh_handshake_state);
@@ -138,12 +138,16 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys){
(void)user;
(void)type;
SSH_LOG(SSH_LOG_PROTOCOL, "Received SSH_MSG_NEWKEYS");
if(session->session_state!= SSH_SESSION_STATE_DH &&
if (session->session_state != SSH_SESSION_STATE_DH ||
session->dh_handshake_state != DH_STATE_NEWKEYS_SENT) {
ssh_set_error(session,SSH_FATAL,"ssh_packet_newkeys called in wrong state : %d:%d",
ssh_set_error(session,
SSH_FATAL,
"ssh_packet_newkeys called in wrong state : %d:%d",
session->session_state,session->dh_handshake_state);
goto error;
}
if(session->server){
/* server things are done in server.c */
session->dh_handshake_state=DH_STATE_FINISHED;

8
src/server.c
View File

@@ -172,7 +172,7 @@ static int ssh_server_kexdh_init(ssh_session session, ssh_buffer packet){
}
SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
int rc;
int rc = SSH_ERROR;
(void)type;
(void)user;
@@ -209,9 +209,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexdh_init){
ssh_set_error(session,SSH_FATAL,"Wrong kex type in ssh_packet_kexdh_init");
rc = SSH_ERROR;
}
if (rc == SSH_ERROR)
session->session_state = SSH_SESSION_STATE_ERROR;
error:
if (rc == SSH_ERROR) {
session->session_state = SSH_SESSION_STATE_ERROR;
}
return SSH_PACKET_USED;
}