diff options
author | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2018-09-19 14:37:40 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2018-10-09 11:45:59 +0200 |
commit | e5ff7aa410c23954a2963b52e7b721a2d41536f3 (patch) | |
tree | 0e4100e4110d89d40aae06446b8d481b0afd1a10 | |
parent | 3837a0547f08b160749fed7496316a62d6c11dea (diff) | |
download | libssh-e5ff7aa410c23954a2963b52e7b721a2d41536f3.tar.gz libssh-e5ff7aa410c23954a2963b52e7b721a2d41536f3.tar.xz libssh-e5ff7aa410c23954a2963b52e7b721a2d41536f3.zip |
CVE-2018-10933: Check channel state when OPEN_FAILURE arrives
When a SSH2_MSG_OPEN_FAILURE arrives, the channel state is checked
to be in SSH_CHANNEL_STATE_OPENING.
Fixes T101
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-rw-r--r-- | src/channels.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/channels.c b/src/channels.c index d5d36af5..538956dd 100644 --- a/src/channels.c +++ b/src/channels.c @@ -219,6 +219,14 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){ return SSH_PACKET_USED; } + if (channel->state != SSH_CHANNEL_STATE_OPENING) { + SSH_LOG(SSH_LOG_RARE, + "SSH2_MSG_CHANNEL_OPEN_FAILURE received in incorrect channel " + "state %d", + channel->state); + goto error; + } + ssh_set_error(session, SSH_REQUEST_DENIED, "Channel opening failure: channel %u error (%lu) %s", channel->local_channel, @@ -226,6 +234,9 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){ error); SAFE_FREE(error); channel->state=SSH_CHANNEL_STATE_OPEN_DENIED; + +error: + ssh_set_error(session, SSH_FATAL, "Invalid packet"); return SSH_PACKET_USED; } |