From afb706d146832ba6fb41a40eb0e408f7c81a3fc2 Mon Sep 17 00:00:00 2001 From: Peter Wagner Date: Mon, 17 Oct 2016 21:26:26 +0200 Subject: [PATCH] openssh: Unregister the KEXINIT handler after message has been received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause allocation of up to 128MB -- until the connection is closed. Reported by shilei-c at 360.cn https://github.com/openssh/openssh-portable/commit/ec165c392ca54317dbe3064a8c200de6531e89ad Signed-off-by: Peter Wagner --- net/openssh/Makefile | 2 +- ...ter-the-KEXINIT-handler-after-receive.patch | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 net/openssh/patches/101-Unregister-the-KEXINIT-handler-after-receive.patch diff --git a/net/openssh/Makefile b/net/openssh/Makefile index 10eb434f5b..73e7e67659 100644 --- a/net/openssh/Makefile +++ b/net/openssh/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssh PKG_VERSION:=7.3p1 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ diff --git a/net/openssh/patches/101-Unregister-the-KEXINIT-handler-after-receive.patch b/net/openssh/patches/101-Unregister-the-KEXINIT-handler-after-receive.patch new file mode 100644 index 0000000000..f7b41dc49e --- /dev/null +++ b/net/openssh/patches/101-Unregister-the-KEXINIT-handler-after-receive.patch @@ -0,0 +1,18 @@ +diff --git a/kex.c b/kex.c +index 50c7a0f..d09c27b 100644 +--- a/kex.c ++++ b/kex.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: kex.c,v 1.118 2016/05/02 10:26:04 djm Exp $ */ ++/* $OpenBSD: kex.c,v 1.127 2016/10/10 19:28:48 markus Exp $ */ + /* + * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. + * +@@ -472,6 +472,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) + if (kex == NULL) + return SSH_ERR_INVALID_ARGUMENT; + ++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); + ptr = sshpkt_ptr(ssh, &dlen); + if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) + return r;