CVE-2018-10933: Check channel state when OPEN_FAILURE arrives

When a SSH2_MSG_OPEN_FAILURE arrives, the channel state is checked
to be in SSH_CHANNEL_STATE_OPENING.

Fixes T101

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

1 files changed, 11 insertions, 0 deletions

diff --git a/src/channels.c b/src/channels.c
index d5d36af5..538956dd 100644
--- a/src/channels.c
+++ b/src/channels.c
@@ -219,6 +219,14 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){
       return SSH_PACKET_USED;
   }
 
+  if (channel->state != SSH_CHANNEL_STATE_OPENING) {
+      SSH_LOG(SSH_LOG_RARE,
+              "SSH2_MSG_CHANNEL_OPEN_FAILURE received in incorrect channel "
+              "state %d",
+              channel->state);
+      goto error;
+  }
+
   ssh_set_error(session, SSH_REQUEST_DENIED,
       "Channel opening failure: channel %u error (%lu) %s",
       channel->local_channel,
@@ -226,6 +234,9 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){
       error);
   SAFE_FREE(error);
   channel->state=SSH_CHANNEL_STATE_OPEN_DENIED;
+
+error:
+  ssh_set_error(session, SSH_FATAL, "Invalid packet");
   return SSH_PACKET_USED;
 }